agenttesla | 723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796

Resubmissions

04-10-2024 05:29

241004-f62bjawhpl 10

04-10-2024 05:24

241004-f32swswglp 10

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
Size

1.2MB
MD5

353888b84fcd4ef1adf990fb7e93bee0
SHA1

23fc93a370b6ce040f59f7a7d034795b9abf7d2c
SHA256

723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796
SHA512

1de90ed0b7a364122e96b7b7a16003cdd10fb17869a9f6d058f62f95d2ece519697a117df19c4776ed2f622e8be89e4eca69febdf59fe8e99213b87f9ebac54b
SSDEEP

24576:d1dfZSK0FioeVcQkCwmomRUHAl0fl3Pxqh53AlvO4x:dryioeeQk0lUgmVx

Score

10^/10

agenttesla discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.cojosem.com
Port:
587
Username:
[email protected]
Password:
ZARHLOULBOSS123

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cojosem.com
Port:
587
Username:
[email protected]
Password:
ZARHLOULBOSS123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1464	powershell.exe
4656	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\VmkjVd = "C:\\Users\\Admin\\AppData\\Roaming\\VmkjVd\\VmkjVd.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
1	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4252 set thread context of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
1464	powershell.exe
4656	powershell.exe
4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
2212	RegSvcs.exe
2212	RegSvcs.exe
1464	powershell.exe
4656	powershell.exe
1532	msedge.exe
1532	msedge.exe
236	msedge.exe
236	msedge.exe
2336	msedge.exe
2336	msedge.exe
2888	identity_helper.exe
2888	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2212	RegSvcs.exe
Token: 33	3744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3744	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 1464	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	77
PID 4252 wrote to memory of 1464	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	77
PID 4252 wrote to memory of 1464	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	77
PID 4252 wrote to memory of 4656	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	79
PID 4252 wrote to memory of 4656	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	79
PID 4252 wrote to memory of 4656	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	79
PID 4252 wrote to memory of 1204	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	81
PID 4252 wrote to memory of 1204	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	81
PID 4252 wrote to memory of 1204	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	81
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 4252 wrote to memory of 2212	4252	723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe	83
PID 1532 wrote to memory of 3880	1532	msedge.exe	88
PID 1532 wrote to memory of 3880	1532	msedge.exe	88
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 4212	1532	msedge.exe	89
PID 1532 wrote to memory of 236	1532	msedge.exe	90
PID 1532 wrote to memory of 236	1532	msedge.exe	90
PID 1532 wrote to memory of 4104	1532	msedge.exe	91
PID 1532 wrote to memory of 4104	1532	msedge.exe	91
PID 1532 wrote to memory of 4104	1532	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe
"C:\Users\Admin\AppData\Local\Temp\723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\723f6417f6ce1dd3479eb312f48ac91080dfaafdb53a99502b650c2045272796N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LqzPSWJnodRc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LqzPSWJnodRc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D16.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa78aa3cb8,0x7ffa78aa3cc8,0x7ffa78aa3cd8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7150112846464813938,16777691827318538324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
40a6e2cd8f9bf2b04506131c5eb786d1

SHA1
cbec9ce07463214d941e585fdcb73cc8fe923d8f

SHA256
ab1c931deab18e5643801e6b76aa87bd79d5590d67ee07f436727595d519e94e

SHA512
5b93c25403d063ffba3b0fa091fae83238cb3d924ce798f4a409f2d73efed9a8d31d15f87d897015d56e0fd31bf01b102e2f7eaa4f356e934db7f409df889bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9e7528e2989bd18b8daad4181670f434

SHA1
0331fcec54648112e98cb021d8a434f6d51b79f7

SHA256
f519ef24755403452244c51a58cb3b6902b0e27b8e079d7f1752bbefa1144bb1

SHA512
d08fed4564986a7a147ac00c243425114b57eafdb10e007b26baf909a56352324b46a1544de262d71bb3107e97a4382e9b2679f6af7686835256c1c807ed5429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fd3c1b274e506633c34f0406fea3ead2

SHA1
b43b5d5f978fdd44c7c2502b2d7668747ea53243

SHA256
92e82b0f1982a9eae2abeed1ab3ba114511fbba0f48759391378b42f0a57c0ab

SHA512
017d67fc6dc1981d8d8a264772f65ea13fd9608e408b7a8695ae4efed3b1ed4992539a8b21f0f9dc88eb967ac77072a0b3dcfbd496e9c67163c52a5494d9d127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b1d6a72a68b77e9eae6b122e46e9fa6

SHA1
7d1525a27462b5ee49869a1025f793f0261538aa

SHA256
14338766116b70dade604138f3bf02f652f7fd675ca5a190d3db9158f56ec20c

SHA512
aefccbd32b2d47635deeb09b2761c77537ead2a5dcc39d5fcd5b6133e3481c17bc302a069f5d3865ef38fe11a6686b8225d3fd273d97edb6287c4fb61673c789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60e584cc2ef53ec63b3ff9865d5450d3

SHA1
76b2b97d0a11244371b8d1289089818f09ffc8ba

SHA256
2fe06cf550fcf130b32221127bab701e09ae7249c4c49a642db190e32953efa5

SHA512
781c3bc1561d9ee516bcf43448f3e17a81f4262d1c2a670a1ed8e0b6280ba285cdb7df0eb36dda44c2e667b6285f51b89e39c807520487b019932eda8f4b042e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4fbbe1e3-92f2-484f-8a67-1c8aec50feeb\index-dir\the-real-index

Filesize
2KB

MD5
274ec0010a8bebec6fd44d660b05c1b6

SHA1
1646624300472736d8bbd3977a75fe1b27f77b51

SHA256
710ada93b57b5bf699c1cb6c72288034962fb745a9a91cb2fac6a3085a24c8f0

SHA512
3e2772b7fc8b46510ca91ddae5d96e31f352ac17881daf5c020cd3f78db927d01750ddc67f84a8b68b10ab17cf7bc110e9e625ded74b51d6626c0dfc04482b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4fbbe1e3-92f2-484f-8a67-1c8aec50feeb\index-dir\the-real-index~RFe58b244.TMP

Filesize
48B

MD5
93f40795463662e4756ecc5a6ff24dee

SHA1
6e5da19b25e8861296487a231db750484a1c7835

SHA256
0909a4a1f332762967cbb3d806940e02f4a64b5738e4151b10cef72e68a83e89

SHA512
b3f232c9e38aad20e0776194f8bf181cff79e1a98e3ed768cefbfbdcb5e913252fcb0c318a16697886dcec284bc106995e63ee88e3bc607e42582ecd10d54189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
d1f3f8c722cf078cb8012217bbd04d83

SHA1
3e6832f2c3df36515f8a728768ce66eafd40cda4

SHA256
669a9f55ad0cc10f76af25e9938b2048915e19cff6aa0b9a16bd2412898b2436

SHA512
661a9b240e1f50d3141759cb2f4c273b99078e72650ee95f33c479f15c30543366e83c26b2f6f28027c351a7bf0743063eda7a987dd5f6a2da753615d6e83a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a76235a6438444644d3a7cc0a9661315

SHA1
837b2bd7530e90536a10baa7381ff7a281b4b437

SHA256
5cef4d34c5c564c3e2d6431b1c3d2d57a4de96c61a653c4b18c988b5af3289b3

SHA512
6fddadd325f9eb97b7406efaa864d8354d5147b4ca43d98330c291a7e671e4372d0f94b76ab27fc5768ec2811d54fd54bc456b8a6baaff8cc78210ecbc1a2943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
fec8ab3caac79f6d818854b9439fe579

SHA1
4f03bcccb6c5249bd0d01cc242f48f9fc8e2c702

SHA256
6383d9067815c22203d6a891b3651c19a4eb5e8e81bd8bd4b3c5dc43fb7e92ae

SHA512
d601a0f8a712db276da940ef0b3ff87cea77c7293b9bd608a46441f936065638dffcaff2c42e54ebe476b56c96b6ed001afe9060ce1b1be7ffc91eac6dccb20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0a94fae6821b4b62ff00ec58221bd5b2

SHA1
4f56abd042dd89a338b1348e7f103985e4c8d8ec

SHA256
b4452ee99cd1b5145c0de80ba72632ed02a8fb4266aa935d6ead298c11aa0db2

SHA512
dd4d3bd8c55ea4c5048a65072659d4fec118734b9b6c5c8232082ef65590db5f7604ccce1a71fa5c0ea0235ad034bccec1cddcf3ad9482b8f1c9ba456fa08386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
df5b91613cdc0ec741fd5b1be4735634

SHA1
febe455cbfe6d56eda3fcc109ff984170d857aa1

SHA256
b378b7d863cce729fbf2f98f308b9508ab640f903f76151ac1d6d6327a031843

SHA512
1df0b60783c58e8e7553c49d169c2fa6922815e4ac0508669e1058109b8920b785e42effa9ec544441724be40b0f12609bd592744253b29c8da7ef28cbbb0d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b244.TMP

Filesize
48B

MD5
fe07a0cc1f642f1501b9322ca804a6df

SHA1
1cf78de222aeba28aec6cf13f949732987fef4ee

SHA256
604f857be24f8ceefb16bb3dba68393d89fff868bcee10033d3b5bdc48ee51d3

SHA512
52a66597010f907a48a2e54713dc6753d63e99c74ad8d6ec8c33b7345dfd4d590001317667b3f9a0348c3842843d996547327def26d0d88d75cc3a3d330d3b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
35b693b133a69b76212bca25b537fc27

SHA1
ea485c8829c084320ed4f56d2f60bab9361afb22

SHA256
237ab1e9e68b7f9c4426c36ccebaad1e115e4b222ade04025a5bd7cdd9866d0c

SHA512
35093b93f0a4de979f0afe30af72be3504cece426d989c8b8b702e5b8375a1980199ca92e4f022261b2e6a93d3708be6d87be73430a08e4950c67c99f555ec03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22c8f6b68846e0697cb10789fd2a68b4

SHA1
1714096f17995c16ddd3ec95e3e34dc381c5ce1e

SHA256
948e9dc8b60c71b93f3f96baa21c9d3f287461a31dc176e5c5597ac0466afc5d

SHA512
6e0d12b646cbae68ce52e2218f87ae1d1c5008100c9cd21ebe91ec4e967613e89d08179f0d611cfa96c29af6386040e5fc9451d524a6dcc9f693330a715efeb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2e8a82b1c184c907971ccfa46adf3a64

SHA1
40e855729a8a25e213b74baad2e93bd7e57fcf63

SHA256
afd40268546ff4853043600e6a9234b51bfef171ac57a9108195a6e909019092

SHA512
37012903ce7f19cc9fa3423ec7b202a0902951d085204045c22f2a7edae3d7c943bd0bcde9d63c0a2d61fa8828762f46fa3b209b28a2ade421b6ef9fd82426e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbua32gt.vtp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D16.tmp

Filesize
1KB

MD5
fcde4e9785105338a38a81b4470e287e

SHA1
2398f6123a5a3d3d3e74c9594516fa2a69a7615f

SHA256
f31b61e6af53a868f873960d7b747ce6f34170976fde31f942cef460056d337b

SHA512
33e3c17373f46e86318170cd916f8e4367885eaa03cfaa80f0bbf8823d54f5fc3899ecffdb5e3699593cd49ca2bed8ffc1fe284d4e4224838980ae6494459145

Download Submit
memory/1464-21-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/1464-86-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/1464-16-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download
memory/1464-48-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/1464-49-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/1464-50-0x0000000007370000-0x00000000073A4000-memory.dmp

Filesize
208KB

Download
memory/1464-60-0x00000000073B0000-0x00000000073CE000-memory.dmp

Filesize
120KB

Download
memory/1464-51-0x00000000708C0000-0x000000007090C000-memory.dmp

Filesize
304KB

Download
memory/1464-61-0x00000000073E0000-0x0000000007484000-memory.dmp

Filesize
656KB

Download
memory/1464-65-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/1464-63-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/1464-19-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/1464-73-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/1464-74-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/1464-18-0x00000000057B0000-0x0000000005DDA000-memory.dmp

Filesize
6.2MB

Download
memory/1464-17-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/1464-20-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/1464-78-0x0000000007A60000-0x0000000007A7A000-memory.dmp

Filesize
104KB

Download
memory/1464-80-0x0000000007A50000-0x0000000007A58000-memory.dmp

Filesize
32KB

Download
memory/1464-22-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/1464-23-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/1464-32-0x0000000005F00000-0x0000000006257000-memory.dmp

Filesize
3.3MB

Download
memory/2212-88-0x0000000006D70000-0x0000000006DC0000-memory.dmp

Filesize
320KB

Download
memory/2212-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4252-47-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4252-5-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4252-11-0x0000000006EE0000-0x0000000006F66000-memory.dmp

Filesize
536KB

Download
memory/4252-9-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4252-10-0x0000000005790000-0x00000000057A6000-memory.dmp

Filesize
88KB

Download
memory/4252-1-0x0000000000840000-0x0000000000978000-memory.dmp

Filesize
1.2MB

Download
memory/4252-2-0x0000000005940000-0x0000000005EE6000-memory.dmp

Filesize
5.6MB

Download
memory/4252-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/4252-4-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/4252-6-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/4252-7-0x00000000056E0000-0x00000000056F6000-memory.dmp

Filesize
88KB

Download
memory/4252-0-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/4252-8-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/4656-34-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4656-35-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4656-37-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4656-87-0x0000000074330000-0x0000000074AE1000-memory.dmp

Filesize
7.7MB

Download
memory/4656-62-0x00000000708C0000-0x000000007090C000-memory.dmp

Filesize
304KB

Download
memory/4656-75-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/4656-76-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/4656-77-0x00000000077D0000-0x00000000077E5000-memory.dmp

Filesize
84KB

Download