Overview

overview

10

Static

static

10

lmlmdos.exe

windows11-21h2-x64

lmlmdos.exe

windows7-x64

lmlmdos.exe

windows10-2004-x64

lmlmdos.exe

windows10-ltsc 2021-x64

10

lmlmdos.exe

windows11-21h2-x64

10

lmlmdos.exe

macos-10.15-amd64

1

lmlmdos.exe

macos-10.15-amd64

4

lmlmdos.exe

ubuntu-22.04-amd64

lmlmdos.exe

ubuntu-24.04-amd64

Analysis

  • max time kernel
    900s
  • max time network
    899s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-es
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
  • submitted
    08-02-2025 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lmlmdos.exe

  • Size

    23KB

  • MD5

    5eb67cac2f9ef8a548ba327896909cda

  • SHA1

    b8f3612f2d00c581387b02a615ad178874b51329

  • SHA256

    f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

  • SHA512

    40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

  • SSDEEP

    384:XweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZQy:oLq411eRpcnuI

Score
10/10
njratadwarebootkitdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationstealertrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe
    "C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:328
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:712
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1304
        • C:\Users\Admin\AppData\Local\Temp\tmp8CF3.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp8CF3.tmp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\FREEMASONRY\MBR.PIF'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2776
          • C:\FREEMASONRY\MBR.PIF
            "C:\FREEMASONRY\MBR.PIF"
            5⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            PID:3000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\FREEMASONRY\FREEMASONRY.PIF'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2140
          • C:\FREEMASONRY\FREEMASONRY.PIF
            "C:\FREEMASONRY\FREEMASONRY.PIF"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1652
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E49.tmp.bat""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:192
            • C:\Windows\system32\timeout.exe
              timeout 3
              6⤵
              • Delays execution with timeout.exe
              PID:1840
        • C:\Users\Admin\AppData\Local\Temp\tmp9F92.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp9F92.tmp.exe"
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          PID:4524
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MERCQjkwOUUtODdCMS00N0IyLUFFNDEtNjBENzU5NTk1Q0FGfSIgdXNlcmlkPSJ7QTc0OUFEMkItQ0MzOC00RUZELTkzNkUtQjU5Rjk1OTZGQUI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjRFMjhBQ0QtMDU1QS00QUU5LUFBNzAtMzBGM0MxQkFFQjI5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDQ4IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NDg5OTIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE4MzkxMDE0NyIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1304
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3664
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6018fa818,0x7ff6018fa824,0x7ff6018fa830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3080
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6018fa818,0x7ff6018fa824,0x7ff6018fa830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2208
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff77fdba818,0x7ff77fdba824,0x7ff77fdba830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2136
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff77fdba818,0x7ff77fdba824,0x7ff77fdba830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2000
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff77fdba818,0x7ff77fdba824,0x7ff77fdba830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4528
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MERCQjkwOUUtODdCMS00N0IyLUFFNDEtNjBENzU5NTk1Q0FGfSIgdXNlcmlkPSJ7QTc0OUFEMkItQ0MzOC00RUZELTkzNkUtQjU5Rjk1OTZGQUI0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4OTMyN0U0Qi1CODRBLTQ0NjQtOENCNy1ERDFDN0QwNEUyNjV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjkxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0FFNTc5ODBDLUIyQ0QtNENFMi04NDA1LTY3N0IxOTJBMzFBNH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTYwMzk0NjgxODMwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTk0NjkxNzcyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxOTQ2OTE3NzIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk5OTYxMjg2MzQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYwNzgzMSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KNzFpU1NVSGd5TjFQR045VEVxSzVNQ1k4VVhSc2hBVzVteXRhSXElMmZnaGd0Mng1OUNrOHNaMnp2bHhEenFBbU4zU25MSTFZQzRTNW55MFphZmZuNlJBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTk5NjEyODYzNCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MDc4MzEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SjcxaVNTVUhneU4xUEdOOVRFcUs1TUNZOFVYUnNoQVc1bXl0YUlxJTJmZ2hndDJ4NTlDazhzWjJ6dmx4RHpxQW1OM1NuTEkxWUM0UzVueTBaYWZmbjZSQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNDc0MTI4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk5OTYxMjg2MzQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAwMDk4Nzg1ODQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNTQwNjU5NzQxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNDIyIiBkb3dubG9hZF90aW1lX21zPSI0ODAxNDQiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTMwNjMiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswREZBRjRFNS1DRDQyLTQwRTItQUU4Mi0wMDRENTIyRjQyQkN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuOTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7OTU5OTg3QjEtMkI5Ny00RkUwLTkyQTAtMzYzRkYzM0M0QjVBfSIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:756
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:920
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x504 0x4fc
    1⤵
      PID:3928

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Browser Extensions

    1
    T1176

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    2
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Netsh Helper DLL

    1
    T1546.007

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    2
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    5
    T1112

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FREEMASONRY\FREEMASONRY.PIF
      Filesize

      1.1MB

      MD5

      927d954198234eef0bbdc891f14a9ad8

      SHA1

      6a25c293f325ed39658ba0ee5028fa07cbb14393

      SHA256

      30dc79f4836a607338f5e6a53d7b3457357d27ce654b510f193eb13aff83a76e

      SHA512

      cdc84aa72f1e6e3492fccebe130404407a3404d894e87fda7a70e475067134c3ef5b4f13ed5dd5b9eedb6f7081d4fb4f2c174a50cdb800c7e892f640c1cf11b7

      Download Submit

    • C:\FREEMASONRY\MBR.PIF
      Filesize

      9KB

      MD5

      fd7fa61ce82dffe4f2f292f11da7eb90

      SHA1

      b2b468f31b329532d3f75b8e25f5d5d750534d40

      SHA256

      f0264a4ae79cd5a400258d5996b9f2bfde741cc10aea09319233954c16accb62

      SHA512

      12d98aa09c95074b1cf442ec2705a43c089828aa7684d96e0a8148949f7189630a72a8e2383bc143834e0352318a328104b9e1b83ba4a68eff4d2c45794fc454

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{39B14294-1E85-48FC-8701-0B2EDE143997}\EDGEMITMP_4B502.tmp\setup.exe
      Filesize

      6.6MB

      MD5

      b4c8ad75087b8634d4f04dc6f92da9aa

      SHA1

      7efaa2472521c79d58c4ef18a258cc573704fb5d

      SHA256

      522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

      SHA512

      5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      1.0MB

      MD5

      3cfb2926dcec9a179dd99045e3cb4d6c

      SHA1

      7118aac6c86a622d206520cb526f2bf56946ca0c

      SHA256

      90a7b122762a920246da82b40e418d2bc81ce2879ffa7d3a3536866b7cafd561

      SHA512

      c78ace7a90e9dbce69ea9cda7f70c93d14d1e1887edcc087eeab4fab92a97cab775da4924b7fe1884967c29ca81e5fb84ddd011e2066811f9b00ee60828aab5d

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      1.0MB

      MD5

      902174494371c1c79b310893a606a5da

      SHA1

      1a8a2457e4291115132407fba61fc0e074bd56f4

      SHA256

      a5628e39b3c95cb630d8047faf0270aa54d50071571760e14dd0f437b4d7aff8

      SHA512

      06690222858c489c639747b00770d533d52ca43f39c1c8c6d8f4dbe9755edafa35941b9cb9e689169f134a4fabec8f0a555c60f50d1a5413c2e3401709db5c28

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
      Filesize

      768B

      MD5

      be5a3ce08fa50c0b2ad724344776a81c

      SHA1

      e9159a6d16f8211372a7d9ad9f965bc2402e90c1

      SHA256

      50230f0a870bb04ed7240fd74fb8d88757e7d5c45fe3cf5ad57edf1d0b83ca26

      SHA512

      9b4a4606dcba391d84c2a4304b018d231d0d6461b2d31f15003a41cdb10b9a75cd4f95b889942c74b856734d821c4fbc89552cf3e6cf0516bb20cb7ed6b17092

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6a807b1c91ac66f33f88a787d64904c1

      SHA1

      83c554c7de04a8115c9005709e5cd01fca82c5d3

      SHA256

      155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

      SHA512

      29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njjmvbav.4hb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      23KB

      MD5

      5eb67cac2f9ef8a548ba327896909cda

      SHA1

      b8f3612f2d00c581387b02a615ad178874b51329

      SHA256

      f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

      SHA512

      40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2231.tmp
      Filesize

      109KB

      MD5

      402ab9dba30645bfd7cd8eba83af0b7d

      SHA1

      20ef5a12bb03156bb1af43b42680de2e9bcf8dc1

      SHA256

      e70ac6965ab4ea166b8661e5d5baedd65f834fa91d169a35983842fff9c595e1

      SHA512

      4ab2e0a8aa12a3cb94b895cf7c48a72af7bbdf17dbf44f88308a6d0d5a6b53043be0df0322ba4c2dd4da41ce46acf6127c3852f622a1374a916d25d6d762118a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8CF3.tmp.exe
      Filesize

      1.1MB

      MD5

      9958bd8a8810860aba71e3622a62a078

      SHA1

      da5eccafc6ba80e43a7c255870fdd1512e2d8d1c

      SHA256

      3b1917c0e0e4aab689222b13aa906795e1a85082370ff51b6b4eeec50a2eed4d

      SHA512

      46dd311a5cd2494fad2ad0dac4726e1910e252fefc64c81eb767f414466085e9fa98a8454bae9bfd756321372e4ca967552da868cc5e1484b4b9a1b44baf9520

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9E49.tmp.bat
      Filesize

      163B

      MD5

      4380e5dde47a72d5a530f9166e21f499

      SHA1

      5841893b09095e3c70938ab1296e001b4da7bc1b

      SHA256

      142f8591fba518364c4190e94b1e40cb4ccf0e19d3742b0d5de561f6abca0f42

      SHA512

      7988ff616d244a625d7c02543d6821285eadf0717d298592324bccbb303b7ec728aed4fbc7bf221845a0ec2def51368ab798e247b722b5c2688e642a28853f6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9F92.tmp.exe
      Filesize

      289KB

      MD5

      7e9d3109b138c0a67be983159fbbde98

      SHA1

      012308407fada7ecb5edfe4e067fa4d18acba424

      SHA256

      1f98a3f8852d28ed3b2f64e529c1ae1eafc5ef942a962ec89163f3db2744c8a4

      SHA512

      ac6a5a4ec87fe8770c1903f62d181f94366b2f9b3d3a4e8a04ec7f25b9e9d026762efc96ba5883474b9d1c2d0cca4a99e12f0343f6eac51af12d628a926a5e12

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB413.tmp
      Filesize

      109KB

      MD5

      a7ad997ed7aa116038104ebaeea2c315

      SHA1

      4a9c9a2d4b246b870fb0987024a0cc2315dee269

      SHA256

      43a34da4ebddc1cea35ae1b0fb5f547a750ab2f0001f521deac45600c16e40ac

      SHA512

      2dc0cf8b545d3ef60033b9149abcffadd1e7f085046583282d7deb7c09bd5ffd7da50f1e43716bc2cc0e4208b32c7ebe3053823a8489c38954f4da409ab338f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpEB41.tmp
      Filesize

      109KB

      MD5

      4c0a6177be784adde84a2e3ef3c4232a

      SHA1

      88e0a2b97e3f2849e455242df6b03670e964b36b

      SHA256

      a2ab32275c79e025c7b1d7df26603392cfb2606c42d70ee68bccabe490e17c6b

      SHA512

      1abc273b6abf24fa19f2afc6211138eb6251aedbd9a35c3731f6ba3716fbd7e68abe9d5eb167a7ce94ac8f863e26a06ed219a57a13cdc2cc6f5bc12481dd892e

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      71KB

      MD5

      fd1b1c7b59d5aa1108e7957633c5aabf

      SHA1

      888940d6e13aa53d4793af3f30f24bc0de16006d

      SHA256

      84dc3c53ac4c51ec40e45ca3d60372de4418ce49d464d6d3e157a4629a68a482

      SHA512

      f895da961ba59c8ab1bf25209819f5106e25aca7489c3c0db33547f5780e762bc6b6b5881d3bc6c333b0c442efc7a658fb9a4e26f4c6620c25d1c23a12ce7b1e

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      96KB

      MD5

      ef067e04ffe0d107ff533476a818e2f6

      SHA1

      4dae8eb569b0485050b8226f53514d26fa5c94d3

      SHA256

      065518e97154c2c2c65ba6b033d5a9fbe0dad6e4c59a7465c9310db0565bec9c

      SHA512

      0fbd0fe9ad4f3042095b53bee71ec686e0d46628e8a041869907f05f89eec3e3a8aa83819a0aa3d3066d9233ace9b91550daced31480f47a071445711f0a75b0

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      100KB

      MD5

      6820f918cdaa823b181528145f89e951

      SHA1

      6f298cf5825f4389fa15b2f79a0e8b253c37aeb4

      SHA256

      d8a5678d78632c906d14d0f3f5b5eb335a7ffe876f91c86b192042a07a6e5ca8

      SHA512

      f51d9b935e6f8a43449a3826f6a709c7e3a77651a2603359424e55b1f9d08cc91ad25393675f2c469b36b93d2db53db186ea13f9962c49d0c014e597a43fa91a

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      101KB

      MD5

      0c108e0f25859b78c490bf10ebe99f2b

      SHA1

      47fb6434f1a8b0a449d9d7ed08b9eb300fe694f5

      SHA256

      c74416fcaa0c01bc2d6a639543ace0db89c4e7401af1638c8f5720b9b751505c

      SHA512

      f4a6da7867df8d6ff36fed1de75f23b1447362dcdd9a53f65addeba0aef457119f7ceb05926185ff5d0db0e989b34a556c610ed485f0a68b98b4ea9449af2490

      Download Submit

    • memory/328-15-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/328-0-0x0000000073E22000-0x0000000073E23000-memory.dmp

      Filesize

      4KB

      Download

    • memory/328-2-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/328-1-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1652-446-0x0000000004E10000-0x0000000004EA2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1652-465-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1652-444-0x0000000000430000-0x0000000000552000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1652-445-0x00000000054B0000-0x0000000005A56000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1796-394-0x0000000000EB0000-0x0000000000FC4000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2776-408-0x000001BCD4430000-0x000001BCD447A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2776-409-0x000001BCD4480000-0x000001BCD449E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2776-407-0x000001BCD4540000-0x000001BCD4642000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2776-406-0x000001BCB9A80000-0x000001BCB9A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2776-405-0x000001BCD1FF0000-0x000001BCD2012000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2776-395-0x000001BCD42A0000-0x000001BCD4322000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3000-419-0x0000020699420000-0x0000020699428000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3088-22-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-27-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-21-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-20-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-19-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-18-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-17-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3088-16-0x0000000073E20000-0x00000000743D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4524-461-0x0000000000870000-0x00000000008BE000-memory.dmp

      Filesize

      312KB

      Download