hxxps://drive[.]google[.]com/file/d/1-75cIu-pRHtUxc5inPxZWExUFIyou_bM/view?pli=1

Analysis

max time kernel
155s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1-75cIu-pRHtUxc5inPxZWExUFIyou_bM/view?pli=1

Score

10^/10

discovery evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Lossless Scaling.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Lossless Scaling.exe

Executes dropped EXE 4 IoCs

pid	Process
5440	Lossless Scaling.exe
4316	LosslessScaling.exe
6020	Lossless Scaling.exe
4504	LosslessScaling.exe

Loads dropped DLL 2 IoCs

pid	Process
4316	LosslessScaling.exe
4504	LosslessScaling.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lossless Scaling.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lossless Scaling.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Colors	LosslessScaling.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Colors	LosslessScaling.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1404	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
3852	msedge.exe
3852	msedge.exe
4952	identity_helper.exe
4952	identity_helper.exe
1644	msedge.exe
1644	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
4316	LosslessScaling.exe
4316	LosslessScaling.exe
4504	LosslessScaling.exe
4504	LosslessScaling.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	6096	7zG.exe
Token: 35	6096	7zG.exe
Token: SeSecurityPrivilege	6096	7zG.exe
Token: SeSecurityPrivilege	6096	7zG.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4316	LosslessScaling.exe
Token: SeDebugPrivilege	4504	LosslessScaling.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
6096	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4316	LosslessScaling.exe
4504	LosslessScaling.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2448	3852	msedge.exe	82
PID 3852 wrote to memory of 2448	3852	msedge.exe	82
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 1696	3852	msedge.exe	83
PID 3852 wrote to memory of 4948	3852	msedge.exe	84
PID 3852 wrote to memory of 4948	3852	msedge.exe	84
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85
PID 3852 wrote to memory of 3588	3852	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1-75cIu-pRHtUxc5inPxZWExUFIyou_bM/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80bd346f8,0x7ff80bd34708,0x7ff80bd34718
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2207785180882610932,2776958475083977264,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6176 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\lossless scaling\" -ad -an -ai#7zMap10448:94:7zEvent10952
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6096

C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Lossless Scaling.exe
"C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Lossless Scaling.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\language\en-US\hiberfil.ps1"
  2⤵
  - UAC bypass
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1176
- C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe
  "C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\lossless scaling\lossless scaling\__HOW TO CRACK.txt
1⤵
PID:5872

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Registration ('Crack')\Double-click, confirm to merge, done.reg"
1⤵
- Runs .reg file with regedit
PID:1404

C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Lossless Scaling.exe
"C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Lossless Scaling.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6020
- C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe
  "C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

Filesize
2KB

MD5
45fed0a3bcbc889ca99d0c5943210e7e

SHA1
602584366a413cb9ae459b6c3231190cd787241e

SHA256
9812fe8104a86e693d6baa02a4cdb56ea9a4aedb500b050346eb5ec6bda8dd09

SHA512
d0728fcce9484daedb2c9552ee2a818f7cccbeb1e9bca24a1c4fc1ca6e8c181c46cdc89670bfee3d6ad219ea6f69750bd03f776af4f9e4667872c66c11dbd255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LosslessScaling.exe.log

Filesize
3KB

MD5
137b687e9203dcd674ebe49c0652be64

SHA1
ca77ecea73ad7eeb8fa3709d9db24e0de9a28163

SHA256
a57fbb7a3fd76af170e70ed63bdea9f5329ad185c67fed985d95273b49846781

SHA512
2e5882816624e382dace7ce26374b2b2657501a76c3aca8dc2433850b5fde354af8d302d651f8b0544eed2256fc2a7f6596a2b1e4908a0eb2b6569a21bfa64c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lossless Scaling.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5edd0d03-a7fc-4e54-a28e-b9c4706156e1.tmp

Filesize
3KB

MD5
c844cf8dec2e7d255397db4276bb6d30

SHA1
d3000c2a19315b6e6bcf1879095bffec04bdef77

SHA256
c67b0c9e8155218ccc83fbe62bbe640275ad7659f07ec9e334be48c553135dbe

SHA512
ac753f8294189d089a7a900fe6d968940dfbbd4d11c8ea07d06ae841973829da61b37146d5212ffb98aa4c379cd4c0b92158f660966b92fc751884bfdd15e8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
96012bbf3888e0bb11f23c8992ec93cf

SHA1
0559051d33a33d2f2988da233d5d8a79005cf274

SHA256
de1e995a2dfdce6a4aabdb433caf2c418134a738ccfbd2e19979e67f404c2b80

SHA512
27b7d03b6e056121faa2b69b8513c3f63398c875ea978d90818605841fc77fef795db9bb806e79a8e70d177a21745696884dde0b8bcf345a576c92b0aa945e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f8121f1efa63bdd6098ce0d0a3719254

SHA1
1496d276b76527863c17556b26e76879d17c9ffd

SHA256
7aca0b12961e00fc1165b56b9be1fed23b877fcc489131a05c555a6da13e76b8

SHA512
4b9679269ffa92cd4c5a4b3a720c18b6dddb9936da2cb466507d64845a7566a70069fa3c83189e3525257216fef04ee038872059ac93ad04fd01cc1eddd90e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f954dc15dbf0bc48ebb1bd6f624460d8

SHA1
20c469938f2ca3465e184d6f3e5fab7ebb0eaa48

SHA256
557dec67a3baba247f17da5f99c0dda915ad8acd9351a333fd8385e128b02bb1

SHA512
f904349d5086467a282a6026ab50e02aa0184aa7fa4e2abfabe3bea8db722f218450394864ecff5b729bcd0efa7315280de585848e139abb1d37bb62402a651e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
948d89b5f7b4955f83f287152677fd0b

SHA1
b1cb1de9fccc7e6a911daf0d4bd62ae24ccd5e90

SHA256
251fb8e97711899a8070096c9dc439cd4ba6db1aef526c41aad2d269c7abedf0

SHA512
4ec24b1a9bac35d225f02019165cac2ce11d31a968ce3f694cee9fe733aa611bedce751e7d7f463e14702ce8ba2cf90eeeb93d5987593da80f6d6aac7b292167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f2ea62f3578befd5bc511a9874d4e44

SHA1
c620edc291507c9ee463c7fe45c866e1aa5e5da2

SHA256
132422b13ac06f34efe17901913e2d399116c8dca63e1fca64568bc8ce29fbe1

SHA512
5f9ba073d9400933192d685dd7d0358bce77d920440714d485534c748abd10e701813a820a566a7ecfaafc670e119ee9c00977e0b5ed763327ab89b502eba179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec348137313d1545700a9b6cb39c8b2a

SHA1
4f0edafa3be6c1aefffc2b7124c9d4226b479b85

SHA256
46dd0a66ee5a72a627f1b04ea16bf1d14d63d33bc09a3cf54a4158d5f1312a4a

SHA512
da75b22f142598e47920add3fb41e9c0341e9a5698c4d549eafbb2c77ee629456d522e445cb511b41eb8492bbbaca130c59581ac0e5fea1d85e8230606e9a03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c2fbd05a464469681a6645e950a0100

SHA1
c98b7c42e7359e0a1c0858297ee834ff968ddee5

SHA256
23f238b4f5be7d4c9637bef3702aaa9673203b2e23b8dc0ad05c7d1b280cf625

SHA512
90bcbe2e168e206fd465921ea1565e7a250a5da2dd97bb65eadcdea507ced4e42d6637ac602bff19fde824a00e91b2874c411d312754c4102a55b98569ee4003

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwv5gxxo.4ar.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 509521.crdownload

Filesize
3.5MB

MD5
1accb1cd6c3b2c49e6d261bff49eed0f

SHA1
6d98638aeda638ee4d775f6e31d2cc9523a12e72

SHA256
2dcce38a8f72448edb9244979e5c5ad0e9c9015c1868cc05eea37a59d8067108

SHA512
3ea8b7924afa03c099324e091464fdbc2173d5156f322182cd4618d33f63dd49d0a5a8259649fbd8b17ef67ad6f5fd09ff93708d8ac1563c30538a08e9056ace

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Lossless Scaling.exe

Filesize
155KB

MD5
abbf10016dd3f4cce2f0dc5000e9f8d0

SHA1
87078c942dd9c74a972dfa83ce870c5d7d37d2d0

SHA256
1bc39bedcbaa84ad2f96f7d04217b6e70cac0e831caf64ec768fb3a74c4a2191

SHA512
c1a6bb7700187ae9a868feaad4f47746127034e1924a0e54d7bdb01632ff4b7f4c8ee053e840f839852d6d3bd3b592dc5d39ec574510b67d3d1d8f353b7867a4

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\Registration ('Crack')\Double-click, confirm to merge, done.reg

Filesize
250B

MD5
ff047b633dfa3af4e5b5c78c1c84515b

SHA1
edca05a1a23484322da3932074af30de93d4c041

SHA256
963e9de4561957e19eb200c7446aaba4e59392040eaa5006717bf826a589cc21

SHA512
3e0f46a9c8626a6f53e710676b42802f014f9bac8dbb1af58e42c3e1f7df80ca074e137d4b98fa5739b07028f11eed7f569b55232a2c85dd5d8a7b23dc8420d3

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\__HOW TO CRACK.txt

Filesize
68B

MD5
88ad4289df801383d10899bcae6eb317

SHA1
ccc4a249545f9e0f48932d982b2320a79791483f

SHA256
867a006aeee7cbfe6b44ed9d8f412e3104bf077b7ad49aa642f166095c37d1ee

SHA512
0eec25b34993e75bea0981f87df0377244a75acf404f6159030240032f34f0858807e89423a07ef338573c84895e1f7faeb8c1dfb964c51e1364375648954124

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\en-US\diagerr.xml

Filesize
1KB

MD5
b2f7d59726168e6c7f0a92e838feebba

SHA1
8bdba91d4b416de5bf0a320b44cd20f7cd4d6bd9

SHA256
a85f2fe915f90ab0580f6740f960676d7e963a6a5d172ab90a51eefdc4b142ba

SHA512
18f933591917fa35efd39deba1bfd80e819d9e07108034abab2dcc965c48d896e2712d1739582676f1c58ca44bff4746bad1ee2905c905cdc3fa4c29441bc0a8

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\en-US\hiberfil.sys

Filesize
1KB

MD5
98a99e831c54087770d3fd89f2bb9913

SHA1
26754b638106f4e2c3bdff6780c574384a129972

SHA256
92360a7d4d9bc840a967a86f6bd3651d0d7fb5218d57e3edcd36ad897f908a44

SHA512
cae5a9b95ac842902166cf2d67114f311f6bd9227999654f733b2ef16e4daf8fa2ea5fb5908425243226217fe99e87ded7f9d600a2eb668fb3b4f7d4b0974df2

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\en-US\pagefile.sys

Filesize
1.7MB

MD5
df3362c56b3925e0eb83e0a10fb448c7

SHA1
7b82a4de6af8f15994cfa1f179ebf5e0f302e503

SHA256
1de06a9918cdd9e8dd95953f1a6b937d490a6eb228b2a67e5a89b09feab810c3

SHA512
431dbbf045c8a62cacd7e8236ad343287c574b97684d941fe6f94e702fbb2a19675e1849220fa443616bfe2adec0e2218c42d75889333ca489f064e931891785

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\en-US\pagefile_1.55.7.0.nrmap

Filesize
96KB

MD5
c2ccd92eab60272ea9c085a10506a53e

SHA1
afbda23cb18e5c423478520f36d9a59eb86769f9

SHA256
43f376e1b2a83dcef344fe0953903133786cb9659e12e2d3868e2f52eee8319c

SHA512
a4b5b0417f8b766e42dec6e7854eb0c56bd6ee026a6b25c507de4321a1dd3f6e6927c4939c55c51230e47435c04c1cc22d7b968eb9bcee5bb2e48c855d93f74d

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\Lossless.dll

Filesize
4.3MB

MD5
7969a2cbc4c31ccfb1ab8213f19501b9

SHA1
06a24af6e922ba2cd7fccb76ce2f43271a9af8b6

SHA256
486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68

SHA512
935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe

Filesize
953KB

MD5
2c98d33096e97094cbbbd19f27f40883

SHA1
7e28af9d119d2658f962e3b28140c6081be1612b

SHA256
010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6

SHA512
f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7

Download Submit
C:\Users\Admin\Downloads\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe.config

Filesize
174B

MD5
2a2df45a07478a1c77d5834c21f3d7fd

SHA1
f949e331f0d75ba38d33a072f74e2327c870d916

SHA256
051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa

SHA512
1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

Download Submit
C:\Users\Public\IObitUnlocker\IObitUnlocker.dll

Filesize
71KB

MD5
e1a4327af3cd8ca866996f472f0ff93a

SHA1
cfea8426ef8fab4136055401152821a19f908d45

SHA256
5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

SHA512
745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

Download Submit
C:\Users\Public\IObitUnlocker\IObitUnlocker.exe

Filesize
2.3MB

MD5
9303575597168ef11790500b29279f56

SHA1
bfab0ea30c5959fda893b9ddc6a348a4f47f8677

SHA256
0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

SHA512
8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

Download Submit
C:\Users\Public\IObitUnlocker\IObitUnlocker.sys

Filesize
65KB

MD5
47aa03a10ac3a407f8f30f1088edcbc9

SHA1
b5d78a1d3ae93bd343c6d65e64c0945d1d558758

SHA256
c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

SHA512
3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

Download Submit
C:\Users\Public\IObitUnlocker\Loader.vbs

Filesize
155B

MD5
3781eced7bdb501738a60e3f926ae42a

SHA1
c65ca3f8ee5fd4f6dad689cc43bde301a451ec2c

SHA256
b343abd677e362c3ae1e573bf7c43bf476a8e97e67d7758328a51f30daaf4d95

SHA512
854dc0f2b8d2d4bcb7bb736d2a9c7f70132d069aedffb0e0952fa2d3d57992ae8cda02ea49214f40f4a05b30ac6fea145901fe6c72f257b43c461be138ce6971

Download Submit
C:\Users\Public\IObitUnlocker\Report.ps1

Filesize
457KB

MD5
40e7960be05c7c1f64d7157235171ce6

SHA1
79df02a409ba3721415e3d2755e467c10f9c698e

SHA256
5db5a2e88209a2e2901c8e9e74ad794be31c035a583ec62e73b5e8e22d5df0f0

SHA512
6801ed81e4c87b1328906befb506d598ea3eeaec3a835744b3a681104efca02d92db5228189b9859741a380ec54fdf98048f37d690396cfb9b2a7cabe487e2e9

Download Submit
memory/2464-310-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/2464-355-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/2464-311-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/2464-286-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/2464-287-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/2464-289-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/2464-290-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/2464-291-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/2464-321-0x0000000006830000-0x000000000684A000-memory.dmp

Filesize
104KB

Download
memory/2464-322-0x0000000006880000-0x00000000068A2000-memory.dmp

Filesize
136KB

Download
memory/2464-320-0x0000000007270000-0x0000000007306000-memory.dmp

Filesize
600KB

Download
memory/2464-304-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/2464-378-0x0000000008400000-0x000000000852C000-memory.dmp

Filesize
1.2MB

Download
memory/2464-340-0x00000000076C0000-0x00000000076F2000-memory.dmp

Filesize
200KB

Download
memory/2464-341-0x0000000072F00000-0x0000000072F4C000-memory.dmp

Filesize
304KB

Download
memory/2464-342-0x000000006FB40000-0x000000006FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2464-352-0x0000000007700000-0x000000000771E000-memory.dmp

Filesize
120KB

Download
memory/2464-353-0x0000000007730000-0x00000000077D3000-memory.dmp

Filesize
652KB

Download
memory/2464-354-0x00000000085A0000-0x0000000008C1A000-memory.dmp

Filesize
6.5MB

Download
memory/2464-377-0x0000000008360000-0x00000000083FC000-memory.dmp

Filesize
624KB

Download
memory/2464-356-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/2464-357-0x0000000007910000-0x000000000791E000-memory.dmp

Filesize
56KB

Download
memory/2464-358-0x0000000007920000-0x0000000007934000-memory.dmp

Filesize
80KB

Download
memory/2464-359-0x0000000008060000-0x000000000807A000-memory.dmp

Filesize
104KB

Download
memory/2464-360-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/2464-376-0x0000000008060000-0x0000000008226000-memory.dmp

Filesize
1.8MB

Download
memory/4316-305-0x000001F8C08A0000-0x000001F8C0994000-memory.dmp

Filesize
976KB

Download
memory/4316-306-0x000001F8DAF10000-0x000001F8DAFF6000-memory.dmp

Filesize
920KB

Download
memory/4316-309-0x000001F8DAEF0000-0x000001F8DAEFA000-memory.dmp

Filesize
40KB

Download
memory/4316-307-0x000001F8DB040000-0x000001F8DB066000-memory.dmp

Filesize
152KB

Download
memory/4316-324-0x000001F8DDAA0000-0x000001F8DDAAE000-memory.dmp

Filesize
56KB

Download
memory/4316-319-0x000001F8DDA80000-0x000001F8DDA88000-memory.dmp

Filesize
32KB

Download
memory/4316-318-0x000001F8DD700000-0x000001F8DD738000-memory.dmp

Filesize
224KB

Download
memory/4316-317-0x000001F8DD7C0000-0x000001F8DD87A000-memory.dmp

Filesize
744KB

Download
memory/4316-316-0x000001F8DD650000-0x000001F8DD702000-memory.dmp

Filesize
712KB

Download
memory/4316-308-0x000001F8DAEE0000-0x000001F8DAEE8000-memory.dmp

Filesize
32KB

Download
memory/5440-276-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/5440-275-0x0000000000E30000-0x0000000000E5C000-memory.dmp

Filesize
176KB

Download