b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
Size

2.1MB
MD5

7846bac09fcd1f8aa00a0f2158f2f2b0
SHA1

3ecb42a880c4afba0bfc7c903bdfde9699b1c848
SHA256

b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510
SHA512

9fff0c83e3e672573484cda242d5298350e647479a018bd4468242510267e561a0cd59346e5be75229e6e509eb409790627e48a7c8981d192e5d074052c97c5c
SSDEEP

49152:zvGF72mgjLUNUUU2xOqrA+GAxHX7n7V2WJxa0pDRoOw3AZEHtQMTf:zvICH8NM2MUf30WJwulZMA0mMTf

Score

10^/10

discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comFontReview\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\SearchApp.exe\", \"C:\\Windows\\Cursors\\conhost.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comFontReview\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\SearchApp.exe\", \"C:\\Windows\\Cursors\\conhost.exe\", \"C:\\comFontReview\\HyperBlockserverdriver.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comFontReview\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comFontReview\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comFontReview\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default User\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comFontReview\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\SearchApp.exe\""	HyperBlockserverdriver.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3216	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3216	schtasks.exe	96

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1260	powershell.exe
1944	powershell.exe
4776	powershell.exe
4636	powershell.exe
692	powershell.exe
4920	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Nova Macro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	HyperBlockserverdriver.exe

Executes dropped EXE 4 IoCs

pid	Process
1924	Injector.exe
1212	Nova Macro.exe
4316	HyperBlockserverdriver.exe
3108	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\comFontReview\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default User\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Reference Assemblies\\SearchApp.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperBlockserverdriver = "\"C:\\comFontReview\\HyperBlockserverdriver.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\comFontReview\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default User\\msedge.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Reference Assemblies\\SearchApp.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Cursors\\conhost.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Cursors\\conhost.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperBlockserverdriver = "\"C:\\comFontReview\\HyperBlockserverdriver.exe\""	HyperBlockserverdriver.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDD955293E495471F8EDBB1188854BC8.TMP	csc.exe
File created	\??\c:\Windows\System32\3uu4gi.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\SearchApp.exe	HyperBlockserverdriver.exe
File created	C:\Program Files\Reference Assemblies\38384e6a620884	HyperBlockserverdriver.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC7ECA9E88E1F84881A5D74E888B47E96.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\conhost.exe	HyperBlockserverdriver.exe
File opened for modification	C:\Windows\Cursors\conhost.exe	HyperBlockserverdriver.exe
File created	C:\Windows\Cursors\088424020bedd6	HyperBlockserverdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nova Macro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	Nova Macro.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	HyperBlockserverdriver.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3112	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4796	schtasks.exe
572	schtasks.exe
1544	schtasks.exe
2388	schtasks.exe
2096	schtasks.exe
2476	schtasks.exe
408	schtasks.exe
1844	schtasks.exe
1860	schtasks.exe
1740	schtasks.exe
5028	schtasks.exe
1916	schtasks.exe
4476	schtasks.exe
3448	schtasks.exe
2900	schtasks.exe
1636	schtasks.exe
2740	schtasks.exe
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe
4316	HyperBlockserverdriver.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	Injector.exe
Token: SeDebugPrivilege	4316	HyperBlockserverdriver.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	3108	msedge.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 1924	4192	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	89
PID 4192 wrote to memory of 1924	4192	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	89
PID 4192 wrote to memory of 1212	4192	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	90
PID 4192 wrote to memory of 1212	4192	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	90
PID 4192 wrote to memory of 1212	4192	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	90
PID 1212 wrote to memory of 3204	1212	Nova Macro.exe	91
PID 1212 wrote to memory of 3204	1212	Nova Macro.exe	91
PID 1212 wrote to memory of 3204	1212	Nova Macro.exe	91
PID 3204 wrote to memory of 3248	3204	WScript.exe	100
PID 3204 wrote to memory of 3248	3204	WScript.exe	100
PID 3204 wrote to memory of 3248	3204	WScript.exe	100
PID 3248 wrote to memory of 3112	3248	cmd.exe	102
PID 3248 wrote to memory of 3112	3248	cmd.exe	102
PID 3248 wrote to memory of 3112	3248	cmd.exe	102
PID 3248 wrote to memory of 4316	3248	cmd.exe	103
PID 3248 wrote to memory of 4316	3248	cmd.exe	103
PID 4316 wrote to memory of 2116	4316	HyperBlockserverdriver.exe	107
PID 4316 wrote to memory of 2116	4316	HyperBlockserverdriver.exe	107
PID 2116 wrote to memory of 4720	2116	csc.exe	109
PID 2116 wrote to memory of 4720	2116	csc.exe	109
PID 4316 wrote to memory of 5084	4316	HyperBlockserverdriver.exe	110
PID 4316 wrote to memory of 5084	4316	HyperBlockserverdriver.exe	110
PID 5084 wrote to memory of 2316	5084	csc.exe	112
PID 5084 wrote to memory of 2316	5084	csc.exe	112
PID 4316 wrote to memory of 4636	4316	HyperBlockserverdriver.exe	128
PID 4316 wrote to memory of 4636	4316	HyperBlockserverdriver.exe	128
PID 4316 wrote to memory of 4776	4316	HyperBlockserverdriver.exe	129
PID 4316 wrote to memory of 4776	4316	HyperBlockserverdriver.exe	129
PID 4316 wrote to memory of 1944	4316	HyperBlockserverdriver.exe	130
PID 4316 wrote to memory of 1944	4316	HyperBlockserverdriver.exe	130
PID 4316 wrote to memory of 1260	4316	HyperBlockserverdriver.exe	131
PID 4316 wrote to memory of 1260	4316	HyperBlockserverdriver.exe	131
PID 4316 wrote to memory of 692	4316	HyperBlockserverdriver.exe	132
PID 4316 wrote to memory of 692	4316	HyperBlockserverdriver.exe	132
PID 4316 wrote to memory of 4920	4316	HyperBlockserverdriver.exe	136
PID 4316 wrote to memory of 4920	4316	HyperBlockserverdriver.exe	136
PID 4316 wrote to memory of 2944	4316	HyperBlockserverdriver.exe	140
PID 4316 wrote to memory of 2944	4316	HyperBlockserverdriver.exe	140
PID 2944 wrote to memory of 4548	2944	cmd.exe	142
PID 2944 wrote to memory of 4548	2944	cmd.exe	142
PID 2944 wrote to memory of 644	2944	cmd.exe	143
PID 2944 wrote to memory of 644	2944	cmd.exe	143
PID 2944 wrote to memory of 3108	2944	cmd.exe	144
PID 2944 wrote to memory of 3108	2944	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
"C:\Users\Admin\AppData\Local\Temp\b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\Nova Macro.exe
  "C:\Users\Admin\AppData\Local\Temp\Nova Macro.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comFontReview\pDpwbgC2n534IANqb9lIDALTNScTRw1GBAFWj2ApKGvsZHWtLodVpG.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\comFontReview\iUOjS1Og3UipXS4E1ruQAsS9xlrCAkx7Mb2JhpVQwjLu4pYgOUiTjhny.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3112
    - - C:\comFontReview\HyperBlockserverdriver.exe
        
        "C:\comFontReview/HyperBlockserverdriver.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbscemfb\hbscemfb.cmdline"
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5DE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC7ECA9E88E1F84881A5D74E888B47E96.TMP"
        7⤵
        
        PID:4720
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2lw030w\s2lw030w.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB64B.tmp" "c:\Windows\System32\CSCDD955293E495471F8EDBB1188854BC8.TMP"
        7⤵
        
        PID:2316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comFontReview\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comFontReview\HyperBlockserverdriver.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dwQe39NaOn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:644
        
        C:\comFontReview\msedge.exe
        
        "C:\comFontReview\msedge.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
1⤵
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\comFontReview\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\comFontReview\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\comFontReview\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperBlockserverdriverH" /sc MINUTE /mo 9 /tr "'C:\comFontReview\HyperBlockserverdriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperBlockserverdriver" /sc ONLOGON /tr "'C:\comFontReview\HyperBlockserverdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperBlockserverdriverH" /sc MINUTE /mo 13 /tr "'C:\comFontReview\HyperBlockserverdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
346KB

MD5
9cc81858e05c07ae20d6f1e7313c73ec

SHA1
91d66dfad4cf181203cc44ca21f1241d73b53b52

SHA256
5d68c9e6c7a0d2068dbec8c4cf17a290bb36c58558add86f1a81bd2c2b641197

SHA512
208e668d244c05cbf2cf2d3617aa18ab258b423ba612453b5ea993af606829398c8c8ff88fd7bcef0395dcb11497254570732b949a62b2098e443bcb6fb5b912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nova Macro.exe

Filesize
2.1MB

MD5
ff8c730c1e0b87896e9a51a254146215

SHA1
2ec8ef4b9e2529eba0b721ffa86b45da68f1e016

SHA256
46b9b94f1c4df6d83f923100156b1f86ab2add026aaa4030cf6ee0dc70bcf40f

SHA512
bfee27faed1aba6b33ba40252a11d6da4ce4b51e13cac3ca58d7da66ca30d0bdac01217c447af64ab338b45fe374e266d574ca7be33aa992bd325e516cc15ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5DE.tmp

Filesize
1KB

MD5
70312efa1f58c93482176be2193e5107

SHA1
887488afe2f363ba1deee58479c46222be853c0a

SHA256
04567dd666dcfa8324f7209b3d68085af765891ce8420b76243d99e1aa20745d

SHA512
a2be46c3d0361964ff9e94edfda85f6d3bebba183e5413a450b5f718502fb884b5ede0af3f4e1a6056ea5c6b99b432f5ed3cf0b02033c9f02fa7c33f7b2e7141

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB64B.tmp

Filesize
1KB

MD5
18beb4835203c4d302cb3b53eb81e1cf

SHA1
35c781b5881327469dc46b7d589055e5b91af3c1

SHA256
c0b4ece0b8122dfa15abdb0b422ee9a7e1dc09d4d747881f5325f4a353d0ad57

SHA512
4fd0e02d72641364d3a05fa4b0db7e4d010307254c9f4c5bcd24f265b123f4c4eb2abed1d989d6fb88e9146213c89ec51a507060525c70819acf377f5a10cea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3p1ww1d0.m51.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwQe39NaOn.bat

Filesize
203B

MD5
8e2e32725dda638ee8a6e4616fbf4f65

SHA1
4e394faedfd8866583e1ff3f636fb3f6124f5494

SHA256
059f0ad26d8a261c8509cfc546baa88033eda4eb49b338e3c08a3934a41feb8d

SHA512
65a11cff35bd6b1e5944627cfaab704032a541a47940edb14317cdc7ec3224acf0894ab947c04e4ee4eca906ae19e1f39a2785188ad4e6da2f54deab06485b18

Download Submit
C:\comFontReview\HyperBlockserverdriver.exe

Filesize
1.9MB

MD5
4b99d9a064c418dd14ced0903ecd8d50

SHA1
e9afe1e7bf7e6b4da889ae1eca38fa5aeb570b5b

SHA256
cce2af4db2859767ba5edc050f6778c6cb90da4c538bdd8254a49329bdf1c130

SHA512
f45141610e70eda82d588757000875ba2475f138e16433652b6c082b21c53a2b06fc5407e52453d3948ad9ea74bf185439c8f81e53f6e5821f9dc96d34eab5f4

Download Submit
C:\comFontReview\iUOjS1Og3UipXS4E1ruQAsS9xlrCAkx7Mb2JhpVQwjLu4pYgOUiTjhny.bat

Filesize
206B

MD5
18f0cf86410a6a1a3636765ac694fd11

SHA1
5d3d6ad05e884f1a89a7c9594eb7a1bdda528b76

SHA256
13fd3ef4d744e2dc48d109825a2c9c20202f312bfe91ea109878511a3056e2e2

SHA512
e2de3b7ff094cd887e62ec63df113145719c125c57bbffa2704e0f794e06580d859ae0a988af15d7aa224d1fcb8fcc64273b38b72c106c2d6c26e412484641af

Download Submit
C:\comFontReview\pDpwbgC2n534IANqb9lIDALTNScTRw1GBAFWj2ApKGvsZHWtLodVpG.vbe

Filesize
248B

MD5
86f80d9922a0bd0a56debc6660a43742

SHA1
78dd265b26ab0c6fba286a45f6a4e88e26f87324

SHA256
99412fe1b4aef78865c6a58f17ca45e1feb975a825a3692fadf7858960e67430

SHA512
ac590b74c6e302f35a814565bbd1f7513bc9cbaa18a0df8a316371e307eecfe27d55b36334a1434b64b4264f2ba0e4279d4480f458f04230ecdc1404fc87a82d

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC7ECA9E88E1F84881A5D74E888B47E96.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbscemfb\hbscemfb.0.cs

Filesize
389B

MD5
6611feedfbcb93739eeb75e1b4d22f7a

SHA1
4c506f05b7ca6aa6e5d7e1d0eec97e8927488177

SHA256
f935b84f61a54e36d3425818fe485dd01249392ec7e7acbe3f5183c66bfc8848

SHA512
db836b854c7dcec8bdf5dcc9a5f1a2c65e17358d78191ca05762641b6b963f7986a8a1a7320970010668f64320b2fe096d5d0f871fa98199b4e8fe1220a43abc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbscemfb\hbscemfb.cmdline

Filesize
265B

MD5
06c1f0107a71b3705a74662f9381974a

SHA1
1095321c546987ed6ff07d4254a1a54967d30469

SHA256
771954a68a8a5747a33507450e1ade2ee1b1b3942cc87dac82c10a0eccf0fda5

SHA512
c738fb148775ff3528cdf4653a0ff11540e926dd74e6f499c9d781b1baf22a8ff8fe31bb3f84afa12cff94e11214bcf4437a86d0f62fb39a8887b3e827df0a26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2lw030w\s2lw030w.0.cs

Filesize
359B

MD5
e963591415195d7cd43f374e420b6d7c

SHA1
d65f6255bf30a1ea132808681c6d76fd29d570fc

SHA256
a75688ff0808905e204b9db802944dd828c412a52fbb8bb37d0a1a37a741c21a

SHA512
8e444b82ff96a7649d2ab14d5069fba26454338b97c2ff3751c1d957b97b6d68112d9333e0559964508df71e582a526269f779531ac6ea2371c9e1abe272957f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2lw030w\s2lw030w.cmdline

Filesize
235B

MD5
a1cbf8d46e38eb7f45aa4594114ea673

SHA1
c3558ddf29e62300280b8231d3f675ebc534148d

SHA256
1bf70076f77030a3f4f8c859e88d18ca3a8090558d8375467d832f9edb926127

SHA512
4ff0c506d42d3d6fd74af81afb01dd29478e9f4b693dc9ca6ba068d3d5373adda1fa946689bb9fe73b349ccde9c0a4e5fc75bc242dbe3bc09c4407fd41ea5228

Download Submit
\??\c:\Windows\System32\CSCDD955293E495471F8EDBB1188854BC8.TMP

Filesize
1KB

MD5
defac805d7edc8907512384855c67e24

SHA1
b0b59b7f5f6b872236a383a2381fbdcc7b2b630e

SHA256
57cf2da2350701d9232969935334b4bbda42f10945aac7757c951108e0bd24fc

SHA512
5dcbdf30678b41c0916b0cf60575ea0029a0acb3ebf2f3a38019d2ce83619a007cc75c8109395d33e1c083cb10a92dc9e94b2b6208526051c0e563448eb10b1f

Download Submit
memory/1924-34-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-19-0x00000000006A0000-0x00000000006FC000-memory.dmp

Filesize
368KB

Download
memory/1924-20-0x00007FF837803000-0x00007FF837805000-memory.dmp

Filesize
8KB

Download
memory/1924-29-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-31-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

Filesize
10.8MB

Download
memory/4316-41-0x0000000001220000-0x000000000122E000-memory.dmp

Filesize
56KB

Download
memory/4316-39-0x0000000000700000-0x00000000008E6000-memory.dmp

Filesize
1.9MB

Download
memory/4316-44-0x000000001B480000-0x000000001B4D0000-memory.dmp

Filesize
320KB

Download
memory/4316-50-0x0000000001280000-0x000000000128C000-memory.dmp

Filesize
48KB

Download
memory/4316-46-0x000000001B430000-0x000000001B448000-memory.dmp

Filesize
96KB

Download
memory/4316-48-0x0000000001270000-0x000000000127E000-memory.dmp

Filesize
56KB

Download
memory/4316-43-0x000000001B410000-0x000000001B42C000-memory.dmp

Filesize
112KB

Download
memory/4920-100-0x000001FA4A040000-0x000001FA4A062000-memory.dmp

Filesize
136KB

Download