agenttesla | 59a8996eecd3446be4d9d67ac5adaaae32c80eb7096a2f24280dc6bf7922bfe8

Analysis

max time kernel
342s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20240802-de
resource tags

arch:x64arch:x86image:win10v2004-20240802-delocale:de-deos:windows10-2004-x64systemwindows
submitted
12-09-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice N74561.exe
Size

1.2MB
MD5

a9c63220335a413f3968e2383ccec56b
SHA1

a182bff10f22a7d04d7da5e03f4c99768b436176
SHA256

59a8996eecd3446be4d9d67ac5adaaae32c80eb7096a2f24280dc6bf7922bfe8
SHA512

bd6e361329af62e681b4ab0d6a2569a76a329d37a32036609e5f7311128e1e29a5009988067b14aff126231b46802c55025f4d5903edb4ee4852525b35b845c3
SSDEEP

24576:kqDEvCTbMWu7rQYlBQcBiT6rprG8aDZ+B1blRPQ:kTvC/MTQYxsWR7aDU

Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1600-17-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zword.vbs	zword.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\zword.vbs	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\zword.vbs	taskmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
4108	zword.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000022f9b-8.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 1600	4108	zword.exe	88

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice N74561.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zword.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{77EA2700-6F52-409C-9CDE-DCF10451FBA6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	RegSvcs.exe
1600	RegSvcs.exe
1032	msedge.exe
1032	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
3436	identity_helper.exe
3436	identity_helper.exe
4616	msedge.exe
4616	msedge.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
1600	RegSvcs.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1600	RegSvcs.exe
5812	taskmgr.exe
2860	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4108	zword.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	RegSvcs.exe
Token: SeDebugPrivilege	5812	taskmgr.exe
Token: SeSystemProfilePrivilege	5812	taskmgr.exe
Token: SeCreateGlobalPrivilege	5812	taskmgr.exe
Token: 33	5812	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5812	taskmgr.exe
Token: SeDebugPrivilege	2860	taskmgr.exe
Token: SeSystemProfilePrivilege	2860	taskmgr.exe
Token: SeCreateGlobalPrivilege	2860	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1416	Invoice N74561.exe
1416	Invoice N74561.exe
4108	zword.exe
4108	zword.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1416	Invoice N74561.exe
1416	Invoice N74561.exe
4108	zword.exe
4108	zword.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe
5812	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1600	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4108	1416	Invoice N74561.exe	86
PID 1416 wrote to memory of 4108	1416	Invoice N74561.exe	86
PID 1416 wrote to memory of 4108	1416	Invoice N74561.exe	86
PID 4108 wrote to memory of 1600	4108	zword.exe	88
PID 4108 wrote to memory of 1600	4108	zword.exe	88
PID 4108 wrote to memory of 1600	4108	zword.exe	88
PID 4108 wrote to memory of 1600	4108	zword.exe	88
PID 432 wrote to memory of 3392	432	msedge.exe	106
PID 432 wrote to memory of 3392	432	msedge.exe	106
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 5088	432	msedge.exe	107
PID 432 wrote to memory of 1032	432	msedge.exe	108
PID 432 wrote to memory of 1032	432	msedge.exe	108
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109
PID 432 wrote to memory of 4252	432	msedge.exe	109

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Invoice N74561.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice N74561.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\zFinish\zword.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice N74561.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice N74561.exe"
    3⤵
    - Drops file in Drivers directory
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8fe3046f8,0x7ff8fe304708,0x7ff8fe304718
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --service-sandbox-type=audio --mojo-platform-channel-handle=4180 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --service-sandbox-type=video_capture --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4304612687535807344,17873932620819153835,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1128

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
64KB

MD5
c86e1b32988ffbc37474c5ea5457a62e

SHA1
3b337c4d43ff0b4ff79f9bbcecff8143839c6cfe

SHA256
d94398ba2ed0b438809ec4203c64c002b4a0d960fbd34ab144b78fe7a49323fd

SHA512
58ac67c26bca36a29799d49ed95980a15b1e279282e425ce13620cbe93a8cff74e1c520b896f8e9545a6b7eb8266394547949d88ad96bcf2a879da65521e7f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cae4c166c9925439bcaa234111a39065

SHA1
a909a8861e1125d6ba4aa96a2cd6ffe01b3728b7

SHA256
ee337bc1feac8acc65182ca999def051ae987ac20b8937285d295a662f16c4a5

SHA512
2b96038d68c99e8f53e05b6b7f9bb9a2f3c7fe4decffab2696416e10f4cbc5c3acfab2a5d836571dafa79ef0556f6a15d4dd0a7f18fd3ffb2fcdf14caa46f0f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
a1a4d0cb89afd0931ac3728d8b9eb1a5

SHA1
414911289a1ddf7bacbb43ace33917a5e42ab6a8

SHA256
ef6c87f809e8ded3f4b683a9d8e421ddac4bbcd8e1279c1d508269fc5a1846ef

SHA512
a16ef948f298c78da8f8cd219fef271ec7e7f759a2e8abc1eb45db8ab0871ed47b1841dab96578cab97004967397efed5c3e326f1e408cd4d145e2661b553717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0f578a520506b09ed9ab13643af3144

SHA1
7141b5bdb26b52f9ba6c04a5da39d99266931316

SHA256
c624b6888a1da94a3dfec778c18142f862a5c5af95e733a6db1b03e7b4ba0b3a

SHA512
c684d033bcd2dac3cdd6d7759974d05626c15ff5ec44c054864da6f8564a23d0c4c59aacf21252f23aa8a6a4f4a43e3be753c8c3e5064cad298c329381c6c85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e772ae9e39862fe7112b94ab9b0a7f1c

SHA1
3f5f0b58e4021fb7922a444b777a50a0acb221ba

SHA256
6c227af3f193714c1f0ebe65d6e4eaf4499a04972327a75dbc306e0d7c7bf637

SHA512
0ad6cfcce5e7dcbd6218176631a6dc24c8faf5821b9c08ce4ae33ee4f158e7528ead912a1cad41f82e89534e9661d57af6d1beb8d48dbbc673f5d960a142f87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c04d77634519f3f1dce82cf9c154c886

SHA1
9bd519d129a0fe58b00b645b4db088d40f21479e

SHA256
18948dc3662195388ff749ad3c994854fa39301b7c2301fb668d76e7ebb6b09c

SHA512
14d0da8c76e7199ecbe76036aae111329d95799af98b98faa2edf5193b67d2d882c4ca3336cdd8a9de492ac1716e70189ea51685bb8e6a48a6a0c04380d8babc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
939a9d2779fcd87ffeba534d493ff787

SHA1
665fc499c8665ac6568f8418eb58443701fe7699

SHA256
47ee753aa12d2fae730b6c5e1c1f8c321b48f29cc9efea4b9c17990c9b9b91dd

SHA512
18856b8aa846163deacfd48de3fed747f2fb15409129feb0c287aae2634cabea13d3d95b6d6d23511d4df4ff32a087fdf4a24da1245ef809aac2f8518845b4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a6b6.TMP

Filesize
1KB

MD5
202c103078bb3c4e51c0b16224bf2a09

SHA1
c5ca21c804b9fcb960381bb0b3b77f2e08c387b1

SHA256
90de54de4efa40e08a3b40044e0e69e27b8d56657385921e349973e70b4537bd

SHA512
42c85568a3d0ae731689dbb2942c02959055eab50fe99e7ffd57a714cf81cb64c160bdf2b6efec031adf6a0f31915e5c3af1d64cd531e075cc5c3f027893c37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
05eb3c3912fe08c732c28b7600e30649

SHA1
0de2442925e6cc2767091ed34f84390b9957f851

SHA256
4cf57e8d81cab29484a4064d41d5ee723cd05e839ba8696fbb5a9728091cc3c2

SHA512
c5e6e09971eb8fbd087e4da1a97929030b8fbf07bf344f407100e74ed3818ac2f835c190c2d235582f83f74977c78db2d1dd73c8fd13450019e58e8d33101380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
958eb1477329f8c00463ed5916137294

SHA1
a1ef8f633c09cce3831174ce3f7af7ad996237f2

SHA256
b2f75c9783bc92e251afe9f980d1f15e98bfda1e61d926a9b16df41344126cea

SHA512
400025ff440793e35319b75ec6aa4f84e11265af6a3daec88cb1f3286e6f67c34cf04739d283bbecaa0ca7869ed976de9bb4328d32a77339d10ae293fbdbec40

Download Submit
C:\Users\Admin\AppData\Local\zFinish\zword.exe

Filesize
1.2MB

MD5
a9c63220335a413f3968e2383ccec56b

SHA1
a182bff10f22a7d04d7da5e03f4c99768b436176

SHA256
59a8996eecd3446be4d9d67ac5adaaae32c80eb7096a2f24280dc6bf7922bfe8

SHA512
bd6e361329af62e681b4ab0d6a2569a76a329d37a32036609e5f7311128e1e29a5009988067b14aff126231b46802c55025f4d5903edb4ee4852525b35b845c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zword.vbs

Filesize
266B

MD5
1bc56b8736fc98de6abdc61f6c09340f

SHA1
9de16c321a61a26b862791ad50db2d1cbeece519

SHA256
f65c5d30d06efd6b58cfdeb5718afa1eea92c18af2049ccf3eb22ab1a1af29a8

SHA512
31844b54b9734a8c558f8279d45b67ef9972d08bfcb19c4883df974660b584baae95e4ff17b06e3cb04a09cab3a830076649bd05cfc077737cca84039e6f671e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
e8767bd98f93b293a16ca649c05a0dee

SHA1
36a9ac6d0abee9549b696930458d85338593f53e

SHA256
e22f7f578243983e5af9e705c90824156fa5e18c0506ab297893185cd7b05d01

SHA512
0098a78310b3469833e638dcde7ac638f41dc7f5ea9871c08868b5735edfc432d78babb342b53204a5005fd06b3fcb854cff97aca467c2d4c9d669776b62ece7

Download Submit
memory/1416-5-0x00000000016D0000-0x00000000016D4000-memory.dmp

Filesize
16KB

Download
memory/1600-28-0x00000000014B0000-0x00000000014F2000-memory.dmp

Filesize
264KB

Download
memory/1600-19-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/1600-31-0x0000000006A70000-0x0000000006AC0000-memory.dmp

Filesize
320KB

Download
memory/1600-30-0x0000000001480000-0x0000000001492000-memory.dmp

Filesize
72KB

Download
memory/1600-29-0x00000000068C0000-0x00000000069C4000-memory.dmp

Filesize
1.0MB

Download
memory/1600-26-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1600-25-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/1600-24-0x0000000006640000-0x00000000066A6000-memory.dmp

Filesize
408KB

Download
memory/1600-23-0x0000000005B40000-0x0000000005B58000-memory.dmp

Filesize
96KB

Download
memory/1600-22-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1600-21-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/1600-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-18-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/1600-32-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/1600-20-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/2860-552-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-560-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-561-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-562-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-563-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-564-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-559-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-553-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/2860-554-0x000002DC7CA40000-0x000002DC7CA41000-memory.dmp

Filesize
4KB

Download
memory/5812-545-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-539-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-540-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-538-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-550-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-544-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-549-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-546-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-547-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download
memory/5812-548-0x000001FEB3080000-0x000001FEB3081000-memory.dmp

Filesize
4KB

Download