Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4aa398eb33...7b.exe

windows7-x64

10

4aa398eb33...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2025, 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe

  • Size

    1.8MB

  • MD5

    2a6e3f3275d854bf07aba2427baa6610

  • SHA1

    37d6411844b5d8a9d997f38f7718168b33cbc564

  • SHA256

    4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b

  • SHA512

    a6054ab62fc7415dafaca1dc273b42edd9680541e964b7b20d6b7ed07d65fb2ee01ea833bfedec9abc3687814449bb65f7c041ba462aed5cc44397e0ae2d4ef0

  • SSDEEP

    24576:4p8qWcx5AkyZrtziLafchZChMHTzC6SXYdzNyCzrgEctNjfRn5rEQi:wcJQLa0hs2HTbbtNhzrgZnp5rE

Score
10/10
dcratgurcuadwarediscoveryexecutioninfostealerpersistenceprivilege_escalationratstealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U/sendPhot

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe
    "C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owkeyxog\owkeyxog.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B27.tmp" "c:\Windows\System32\CSC39ECB2C634EB4F77B1ECCC4E8D16726E.TMP"
        3⤵
          PID:3976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\MicrosoftEdgeUpdate.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4752
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:768
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NaZCbfZuP9.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1016
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3992
          • C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe
            "C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\MicrosoftEdgeUpdate.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4352
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b4" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b4" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2672
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjJDM0UyNDctRTI5QS00Mzg2LTlCMkUtMEE5RUY2REM1NzE3fSIgdXNlcmlkPSJ7NTYxOTg4ODctNUJFOS00NEI4LTg1Q0UtRDI1MjhBQTE4OTAwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjQwQUQ0NDktODQ2Ny00REE1LTgyMzEtOThENjE1RDI3NURCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTAyMjk3OTU1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:5512
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\MicrosoftEdge_X64_133.0.3065.59.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Installs/modifies Browser Helper Object
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2952
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff774526a68,0x7ff774526a74,0x7ff774526a80
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:1364
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:3064
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff774526a68,0x7ff774526a74,0x7ff774526a80
              4⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:4392
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6e2156a68,0x7ff6e2156a74,0x7ff6e2156a80
              4⤵
              • Executes dropped EXE
              PID:1336
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6e2156a68,0x7ff6e2156a74,0x7ff6e2156a80
              4⤵
              • Executes dropped EXE
              PID:1632
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            PID:5136
            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6e2156a68,0x7ff6e2156a74,0x7ff6e2156a80
              4⤵
              • Executes dropped EXE
              PID:2764
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
        1⤵
          PID:4092
        • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
          "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
          1⤵
            PID:5068
          • C:\Windows\system32\wwahost.exe
            "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2744

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Browser Extensions

          1
          T1176

          Event Triggered Execution

          1
          T1546

          Component Object Model Hijacking

          1
          T1546.015

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Event Triggered Execution

          1
          T1546

          Component Object Model Hijacking

          1
          T1546.015

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3974F19-E8FE-4E09-B490-2501B99685E2}\EDGEMITMP_8919B.tmp\setup.exe
            Filesize

            6.8MB

            MD5

            1b3e9c59f9c7a134ec630ada1eb76a39

            SHA1

            a7e831d392e99f3d37847dcc561dd2e017065439

            SHA256

            ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

            SHA512

            c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

            Download Submit

          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            Filesize

            3.9MB

            MD5

            ad5f7dc7ca3e67dce70c0a89c04519e0

            SHA1

            a10b03234627ca8f3f8034cd5637cda1b8246d83

            SHA256

            663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

            SHA512

            ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

            Download Submit

          • C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe
            Filesize

            1.8MB

            MD5

            2a6e3f3275d854bf07aba2427baa6610

            SHA1

            37d6411844b5d8a9d997f38f7718168b33cbc564

            SHA256

            4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b

            SHA512

            a6054ab62fc7415dafaca1dc273b42edd9680541e964b7b20d6b7ed07d65fb2ee01ea833bfedec9abc3687814449bb65f7c041ba462aed5cc44397e0ae2d4ef0

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            73KB

            MD5

            5a664f04eedcbf1e54420c029a672939

            SHA1

            bbfca99805ef2316c1ec096299fb6a4ca545a3a4

            SHA256

            c1791df8d06f7bb4a6edf86fbdcce1f50303a5f6af121c2261a76ebb40a42671

            SHA512

            52496fa22efe001da472c631e69a56432d292437fa1f9b62d3ea0fd9b9ec276c858b2716ec5915e04a2bdcd47fb25de164d967cddfac5296721218202d49393a

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            99KB

            MD5

            41477d37537d814c306cbd651a074eef

            SHA1

            1b3780e547061059045a4ea9b3640430d3896c16

            SHA256

            20ead648169e651b17d42aa55b791406be24420ffe6c5b43c220d207db21a92e

            SHA512

            8d3ff19e1902b989f867689e9a1dd794e9e4c6cb70fbad551c4e02fac1c5b258c93ae75f018f894a28a48adcf98cafa74a53453652fe4ae0e9be492f7268cff4

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            102KB

            MD5

            6449ca2a062e2cf2f5f7fbb099843c10

            SHA1

            88cd0615fbdfd07e7e5bc2dfd6f98b8c2b130cd4

            SHA256

            4eb5098ac971a0b8178dbd639f38e3f6d7f603fa52b3b03fd6f4346e2c5219e1

            SHA512

            16e32ecb679b198877746aed8e08c802fae726a5da1582d5f8141c7a883c1bbe1a28c3cb569970dc20ca24c4bc000a5e8614424728e7b08a35fd10472a4719c1

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            105KB

            MD5

            dfd0671dff7a086610f2cb2c2e3d4154

            SHA1

            ea3b0aa4ea5de217a30ce1d6d081f60cd822a046

            SHA256

            25bd533629a3263ec04b61aa4b85faf5102190fb1ef7dde051bae34fe0cb69b5

            SHA512

            887e7a6ac1539e3c744acb61ed4e968f01954820f3d28f7d0816b97be44ee05091ed20f57fe21bcf0b6f12d4ea302951b0a191c1cf1b7862957875eb6e6e8cad

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b.exe.log
            Filesize

            1KB

            MD5

            18da49c97c362515aa00f9d0b966f403

            SHA1

            1974d473a06114342e171ca707c86c8303ab168a

            SHA256

            1747424c1eba45d3539d08f84a8f02149ea969ef380a6c6d13a5cc3fe963e684

            SHA512

            d1ca8005f1f5ac652696ae1b03d5c27b243300525e2dbd6db89da1f1c43cc55553982f3edc5501261e461aa9e8063418c1760f070366d1dddec4e6dc159a6d87

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            09c38bf09493920e93b25f37f1ae4efe

            SHA1

            42e5d800056f08481870c4ca2d0d48181ca8edc8

            SHA256

            37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

            SHA512

            91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            d28a889fd956d5cb3accfbaf1143eb6f

            SHA1

            157ba54b365341f8ff06707d996b3635da8446f7

            SHA256

            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

            SHA512

            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            eeb3d64208575f4d57e7d5f4975f432e

            SHA1

            518771c783208749779711985f3bac8f242d66cb

            SHA256

            274e9c421cb721c8151e27b096f8064fe91f94cfd5dea1515f0d3ef77d002ce9

            SHA512

            acc26d6ed86f201a956feb538d802f2edd2add3709d7aa8f1ec9ccddfb7bfdea3e47a99d2cc09f85e4d7449259cfb672ef5f7e1f589ae026590351d2415598e5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            707e029ca15f1f68d35503f2e97d01a0

            SHA1

            62edfc3afe7a6bcda5a4b8c5f6b285ad2db222e1

            SHA256

            980b55671f81c15d6618be0a50898c3f2f2e358270dee44d5a6ff0ad76ee94a9

            SHA512

            1247bb3b3d746f79e6f3c0fc00e9765c0a259c69367cc92ba3f1d6cbda6aac17e0aaf7cc1f06da909b8902bf12c806cdfc1f742c4a5bf8ff6570b282d3ddbda1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            59aca03635d6353829f73a6ab2199b1b

            SHA1

            64798a4dfbc580d2ef35f70ab45c3b09b836fd91

            SHA256

            600ef901c253d8c8e1a92d178ee84522c6b6f61d2ecc83dd34a7bb2e86b1b50b

            SHA512

            e7cb75200e7aab2b0bc1595b15c8927e563de9af1927d2b2de5ee3b25de24e589d1a488a3732ac40811854491ee9359b96363bff12bef7bbe88d64efe6d9b428

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            59d97011e091004eaffb9816aa0b9abd

            SHA1

            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

            SHA256

            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

            SHA512

            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            a8e8360d573a4ff072dcc6f09d992c88

            SHA1

            3446774433ceaf0b400073914facab11b98b6807

            SHA256

            bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

            SHA512

            4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6c47b3f4e68eebd47e9332eebfd2dd4e

            SHA1

            67f0b143336d7db7b281ed3de5e877fa87261834

            SHA256

            8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

            SHA512

            0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\NaZCbfZuP9.bat
            Filesize

            230B

            MD5

            2193e10d44dc700194a32c88c609ee6e

            SHA1

            920d00a3fa0aec39dcd46713bbc853dc832441db

            SHA256

            04d1f159752be38bdaa86abd68ed045be428db9dddbb639b10f2c0fe61065362

            SHA512

            66a64c484c9a58131296c48694fe458e89cc34dbab5acf4ed346890399a3c55ca5915fce8d2c0fd2ffc7cf2b76fd48e144974fea16e933ffca51f493804f9fbe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES9B27.tmp
            Filesize

            1KB

            MD5

            73b7bcd5c0eb512a3cc29e4aef41b656

            SHA1

            62dbd6f1ae814538235b476627688e6c780b339a

            SHA256

            7922a1e14e9bcd6acc995135bcaba593b1324a19c6e3b427d7bfcda2508fa407

            SHA512

            ff6f145d529ef366f77bb77375febb7bd9b03e0ff8530d852cbced0239be050bc81b1d010a45d55d01ac4bfdb1bc924f11f12bb57786c9297f5ac6f4b159332a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mosncuyj.mp3.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\owkeyxog\owkeyxog.0.cs
            Filesize

            393B

            MD5

            fb08df8a7adf07991bd2d5d60caaac60

            SHA1

            d6c57cc6533cf9ccd0dadb547b3186f4358ecaeb

            SHA256

            16424bf1605a6237fd1ac2485a0129c692bf8c2f139137f70b23e67cbbf59118

            SHA512

            208036ef785ec428b7e55eec489ae6ffbc6c18f79ba37a819d8575239de1613ae6db3bef4de53539d5f53ca1697f30e2861bc7934ad5673c4f63f89255327041

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\owkeyxog\owkeyxog.cmdline
            Filesize

            235B

            MD5

            097002ab2879ef4015444067d0d91703

            SHA1

            693963992af91c2db1e6ed0cd144feea860e3f3d

            SHA256

            d8af9bfee25d4082bfc32087187b5e93f2339cb8347822e46dab23e675aa1d58

            SHA512

            56779825eee153e40653b605e8f763713f046fd353a8c30bc21aabf16c1bbfe235da0248122800ff43488ce313fd9cbc64aca3dfaed3d6b7931a3e650d5bb06c

            Download Submit

          • \??\c:\Windows\System32\CSC39ECB2C634EB4F77B1ECCC4E8D16726E.TMP
            Filesize

            1KB

            MD5

            fbc235e20b211046ecf870b1adffaabb

            SHA1

            244faf1f0b1e882f7264c46cdbb95d10efa0629c

            SHA256

            d419c39e20188edf6a5d35a44c33b21d63b60ba7837205ba23f20f3b39e3fc5d

            SHA512

            0a4f8d872a162f80f862d449b704150166d13a9fd18b8b4c2886085bd46dc441c8b04aa4632fbfb1e8c752c3e8390f1436f6358d27ccc737be8daf131ec1bedb

            Download Submit

          • memory/4484-50-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-0-0x00007FFDD09E3000-0x00007FFDD09E5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4484-44-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-31-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-30-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-29-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-18-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-16-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-15-0x0000000000C60000-0x0000000000C6C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4484-10-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-11-0x000000001B2C0000-0x000000001B310000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4484-13-0x00000000009C0000-0x00000000009C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4484-9-0x000000001AF40000-0x000000001AF5C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4484-7-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-6-0x00000000009B0000-0x00000000009BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4484-4-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-3-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-2-0x00007FFDD09E0000-0x00007FFDD14A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-1-0x0000000000130000-0x00000000002F8000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4752-57-0x0000025A6AD80000-0x0000025A6ADA2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/5068-326-0x00000223C7C30000-0x00000223C7C3E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/5068-327-0x00000223E3340000-0x00000223E334A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/5068-328-0x00000223E3350000-0x00000223E3358000-memory.dmp

            Filesize

            32KB

            Download

          • memory/5068-329-0x00000223E33E0000-0x00000223E3629000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/5068-385-0x00000223E36F0000-0x00000223E3706000-memory.dmp

            Filesize

            88KB

            Download

          • memory/5468-244-0x000000001DBB0000-0x000000001DCC5000-memory.dmp

            Filesize

            1.1MB

            Download