Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

241105-dtx...ed.zip

windows7-x64

1

241105-dtx...ed.zip

windows10-2004-x64

8

d91912b4b9...37.rar

windows7-x64

1

d91912b4b9...37.rar

windows10-2004-x64

8

08751be484...2d.dll

windows7-x64

10

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

8

0di3x.exe

windows7-x64

10

0di3x.exe

windows10-2004-x64

10

201106-9sx...ed.zip

windows7-x64

1

201106-9sx...ed.zip

windows10-2004-x64

8

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

10

2c01b00772...eb.exe

windows10-2004-x64

10

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

3

3DMark 11 ...on.exe

windows10-2004-x64

8

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

10

5da0116af4...18.exe

windows10-2004-x64

10

6306868794.bin.zip

windows7-x64

1

6306868794.bin.zip

windows10-2004-x64

8

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

  • max time kernel
    900s
  • max time network
    900s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/02/2025, 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42f972925508a82236e8533567487761.exe

  • Size

    3.7MB

  • MD5

    9d2a888ca79e1ff3820882ea1d88d574

  • SHA1

    112c38d80bf2c0d48256249bbabe906b834b1f66

  • SHA256

    8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

  • SHA512

    17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

  • SSDEEP

    98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

Score
10/10
asyncratbabylonratdarkcometnjratwarzonerat2020nov1nulladwaredefense_evasiondiscoveryinfostealerpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

babylonrat

C2

sandyclark255.hopto.org

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707
Mutex

adweqsds56332

Attributes
  • delay

    5

  • install

    true

  • install_file

    prndrvest.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2020NOV1

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes
  • InstallPath

    excelsl.exe

  • gencode

    n7asq0Dbu7D2

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    office

rc4.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat
  • Babylonrat family
    babylonrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Njrat family
    njrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Async RAT payload 1 IoCs
    rat
  • Warzone RAT payload 2 IoCs
    rat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Downloads MZ/PE file 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 29 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe
    "C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Users\Admin\AppData\Local\Temp\51EZFdY4dfCSa7Ei.exe
      "C:\Users\Admin\AppData\Local\Temp\51EZFdY4dfCSa7Ei.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3980
      • C:\Windows\svehosts.exe
        "C:\Windows\svehosts.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4516
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4796
    • C:\Users\Admin\AppData\Local\Temp\lPmftrjo4f4XVUvl.exe
      "C:\Users\Admin\AppData\Local\Temp\lPmftrjo4f4XVUvl.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
        "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
          "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 4808
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4020
          • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
            "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
            5⤵
            • Executes dropped EXE
            PID:4588
    • C:\Users\Admin\AppData\Local\Temp\bnGrgxSLvC7FoIQ7.exe
      "C:\Users\Admin\AppData\Local\Temp\bnGrgxSLvC7FoIQ7.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5080
      • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
        "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3700
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:440
        • C:\Users\Admin\Documents\excelsl.exe
          "C:\Users\Admin\Documents\excelsl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3564
          • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
            "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
            5⤵
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4272
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1628
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1156
            5⤵
            • Program crash
            PID:3724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1164
        3⤵
        • Program crash
        PID:2268
    • C:\Users\Admin\AppData\Local\Temp\Ab6tt2WvkWkv7kKU.exe
      "C:\Users\Admin\AppData\Local\Temp\Ab6tt2WvkWkv7kKU.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4508
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7DF.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1948
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:640
        • C:\Users\Admin\AppData\Roaming\prndrvest.exe
          "C:\Users\Admin\AppData\Roaming\prndrvest.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4968
    • C:\Users\Admin\AppData\Local\Temp\34ALL5kXXkA7RWQp.exe
      "C:\Users\Admin\AppData\Local\Temp\34ALL5kXXkA7RWQp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
        "C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1160
        3⤵
        • Program crash
        PID:4628
    • C:\Users\Admin\AppData\Local\Temp\SHUaLHWdDcqW3loY.exe
      "C:\Users\Admin\AppData\Local\Temp\SHUaLHWdDcqW3loY.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
        "C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1128
        3⤵
        • Program crash
        PID:964
    • C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
      "C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
      2⤵
      • Executes dropped EXE
      PID:2964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1580
      2⤵
      • Program crash
      PID:3120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4696 -ip 4696
    1⤵
      PID:3512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1256 -ip 1256
      1⤵
        PID:1628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2468 -ip 2468
        1⤵
          PID:5036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5080 -ip 5080
          1⤵
            PID:2164
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3564 -ip 3564
            1⤵
              PID:3140
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUE5QTM0RjEtNjFGOS00N0VGLTg2M0ItNjM4RDA4NDQ1RjYyfSIgdXNlcmlkPSJ7NTI5MEFBNzYtRTQyQy00OEYyLTgzQTUtNDM0NzNBRkMyNTZGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjM0QkVGQkMtRjk4RS00M0U5LUJDMEMtMTdGNjk2NTg0NEZCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjU0NTM5MzQ1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
              1⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:432
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\MicrosoftEdge_X64_133.0.3065.59.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
              1⤵
                PID:2264
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                  2⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Installs/modifies Browser Helper Object
                  • Drops file in Program Files directory
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • System policy modification
                  PID:2224
                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe
                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6b8b76a68,0x7ff6b8b76a74,0x7ff6b8b76a80
                    3⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    PID:2084
                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe
                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                    3⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:4584
                    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe
                      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6b8b76a68,0x7ff6b8b76a74,0x7ff6b8b76a80
                      4⤵
                      • Executes dropped EXE
                      PID:4380
                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                    3⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4692
                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cb026a68,0x7ff6cb026a74,0x7ff6cb026a80
                      4⤵
                      • Executes dropped EXE
                      PID:4912
                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                    3⤵
                    • Executes dropped EXE
                    PID:1992
                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x228,0x22c,0x230,0x200,0x234,0x7ff6cb026a68,0x7ff6cb026a74,0x7ff6cb026a80
                      4⤵
                      • Executes dropped EXE
                      PID:3040
                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                    3⤵
                    • Executes dropped EXE
                    PID:644
                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cb026a68,0x7ff6cb026a74,0x7ff6cb026a80
                      4⤵
                      • Executes dropped EXE
                      PID:3344
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
                1⤵
                  PID:1012
                • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
                  "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
                  1⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1152
                • C:\Windows\system32\wwahost.exe
                  "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:1552
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                  1⤵
                  • Drops file in Program Files directory
                  PID:3192
                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\EDGEMITMP_0BB6E.tmp\setup.exe
                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\EDGEMITMP_0BB6E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                    2⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    PID:1748
                    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\EDGEMITMP_0BB6E.tmp\setup.exe
                      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\EDGEMITMP_0BB6E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\EDGEMITMP_0BB6E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7e6966a68,0x7ff7e6966a74,0x7ff7e6966a80
                      3⤵
                      • Executes dropped EXE
                      PID:4376
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUE5QTM0RjEtNjFGOS00N0VGLTg2M0ItNjM4RDA4NDQ1RjYyfSIgdXNlcmlkPSJ7NTI5MEFBNzYtRTQyQy00OEYyLTgzQTUtNDM0NzNBRkMyNTZGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0QTk4MTU0Ni1BM0NCLTRFMTUtQTUxOS1EOTFDNTU0OEVGMjl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGNvaG9ydD0icnJmQDAuNzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNSIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7MUNCMjdCRkYtMEE1OC00NjZFLTg2OTUtRjQ0RTkyOTJFQTVDfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iNCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNzU3MDI5NzA0MzcxMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTc0MjgyMDU2OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzQyODIwNTY5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTUxMTEwMTY1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMjcyODk1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUxkMTVSc0E4RWJzdTRjalFUWTR4RVViJTJiRFdqZWtZUVFXRFF2NnV2d2toU1BSYmh2bWxkcEZTTWMlMmYwV09OUGhIdUQzNVJDem42MFNNVEpmJTJiUm5NUm9nJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNTExMTAxNjU2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTc0MDI3Mjg5NSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1MZDE1UnNBOEVic3U0Y2pRVFk0eEVVYiUyYkRXamVrWVFRV0RRdjZ1dndraFNQUmJodm1sZHBGU01jJTJmMFdPTlBoSHVEMzVSQ3puNjBTTVRKZiUyYlJuTVJvZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE1ODUwMTI2IiB0b3RhbD0iMTc4NjA0MDg4IiBkb3dubG9hZF90aW1lX21zPSI1NDM4OTAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE1MTExMDE2NTYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMjcyODk1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUxkMTVSc0E4RWJzdTRjalFUWTR4RVViJTJiRFdqZWtZUVFXRFF2NnV2d2toU1BSYmh2bWxkcEZTTWMlMmYwV09OUGhIdUQzNVJDem42MFNNVEpmJTJiUm5NUm9nJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iOTYuMTcuMTc4LjE5MCIgY2RuX2NpZD0iMiIgY2RuX2NjYz0iR0IiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIGRvd25sb2FkX3RpbWVfbXM9IjI2NTk0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNTExMjU4MjQ4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNTI2NDE0NTAzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI2OTM4Mjk0NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjM0NTMiIGRvd25sb2FkX3RpbWVfbXM9IjU3Njg0MyIgZG93bmxvYWRlZD0iMTc4NjA0MDg4IiB0b3RhbD0iMTc4NjA0MDg4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI3NDI5NyIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iNSIgcj0iNSIgYWQ9IjY2MTYiIHJkPSI2NjE2IiBwaW5nX2ZyZXNobmVzcz0iezYwMkQ2NkQ4LUJGMkEtNDFCOC1CRDYyLTk2QzM2RDc3MEFENH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIxMzMuMC4zMDY1LjY5IiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNCIgaW5zdGFsbGRhdGU9IjY2MTUiIGNvaG9ydD0icnJmQDAuNDIiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3NDI4MjA1NjkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyNjkzODI5NDciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyNjI0ODUyMTUzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYjYyNDIwNTctOThkMC00YmFiLTk4ZTEtNzAxNDU2MWRjNjYzP1AxPTE3NDAyNzI4OTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SkxDclFHSXJkelFkNGZoWlNtdHR5dmN1WTdseHhiJTJmcU5wSmZXZjRERHMlMmIlMmZYWmlkTDlDOXpQSjh1ZkJBZUNkQ0RkVXJXUFA4YUZKYyUyYjR2UU5aV1k1USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyNjI0ODUyMTUzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iNjI0MjA1Ny05OGQwLTRiYWItOThlMS03MDE0NTYxZGM2NjM_UDE9MTc0MDI3Mjg5NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KTENyUUdJcmR6UWQ0ZmhaU210dHl2Y3VZN2x4eGIlMmZxTnBKZldmNEREcyUyYiUyZlhaaWRMOUM5elBKOHVmQkFlQ2RDRGRVcldQUDhhRkpjJTJiNHZRTlpXWTVRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iNTg0OTk2NjQiIHRvdGFsPSI1ODQ5OTY2NCIgZG93bmxvYWRfdGltZV9tcz0iMzQ4NDQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI2MjUwMDg0OTQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI2MzI5NzY2OTciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMzUwMTY0NDY4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzQ1MyIgZG93bmxvYWRfdGltZV9tcz0iMzU1NDYiIGRvd25sb2FkZWQ9IjU4NDk5NjY0IiB0b3RhbD0iNTg0OTk2NjQiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjcxNzE5Ii8-PHBpbmcgcj0iNSIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7MTZGQUZCOUEtRTg0Mi00N0I0LUJCMjYtQzZGREJFMDgzRjg3fSIvPjwvYXBwPjwvcmVxdWVzdD4
                  1⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  PID:4592

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                3
                T1547

                Active Setup

                1
                T1547.014

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Browser Extensions

                1
                T1176

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                2
                T1546

                Component Object Model Hijacking

                1
                T1546.015

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                3
                T1547

                Active Setup

                1
                T1547.014

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                2
                T1546

                Component Object Model Hijacking

                1
                T1546.015

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Impair Defenses

                1
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Modify Registry

                6
                T1112

                Credential Access

                Discovery

                Query Registry

                3
                T1012

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                System Network Configuration Discovery

                1
                T1016

                Internet Connection Discovery

                1
                T1016.001

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data
                  Filesize

                  3KB

                  MD5

                  a43e9ce8d33ed6eb2b8f5133450d64dd

                  SHA1

                  f2b9a2eab4b80d7bef0a6e076423993b77f66332

                  SHA256

                  39bace95aa685a42bb379404c0e4f2a11254a7d5ab9a9b5551d311d1dbc05bb6

                  SHA512

                  9db1c9de9521cd7bd4af5062693d3557ab196fd552bb6000c1d4266426127c9c7c6eada263e90f99bf941fb1c863d10463940e164a03e0742ee070a35fbcdf6e

                  Download Submit

                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E01E136B-2103-4CFE-8353-B990059ACBD9}\EDGEMITMP_0BB6E.tmp\setup.exe
                  Filesize

                  6.8MB

                  MD5

                  bdb1aecedc15fc82a63083452dad45c2

                  SHA1

                  a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

                  SHA256

                  4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

                  SHA512

                  50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

                  Download Submit

                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3A49AE9-6B70-4C22-8779-258C9EC879B8}\EDGEMITMP_DD1C6.tmp\setup.exe
                  Filesize

                  6.8MB

                  MD5

                  1b3e9c59f9c7a134ec630ada1eb76a39

                  SHA1

                  a7e831d392e99f3d37847dcc561dd2e017065439

                  SHA256

                  ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

                  SHA512

                  c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

                  Download Submit

                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  Filesize

                  3.9MB

                  MD5

                  ad5f7dc7ca3e67dce70c0a89c04519e0

                  SHA1

                  a10b03234627ca8f3f8034cd5637cda1b8246d83

                  SHA256

                  663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

                  SHA512

                  ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

                  Download Submit

                • C:\Program Files\msedge_installer.log
                  Filesize

                  74KB

                  MD5

                  e259618d2c3c554969e66d07419c4e3b

                  SHA1

                  71ccb757c56bcb5a9ab3e6b8c882bd3cc223bfc9

                  SHA256

                  21c1f0273d9e2459f94fc36027fb35367736b4af03ccad8101f0143b7b63a348

                  SHA512

                  1435dd4a4facd4f1012504faf3a39827df71df799150aedb832da8355db332ed347904fa5470da5bf92b953807b665f72a28e73f8a4a0dbbeac3854714e7d1c0

                  Download Submit

                • C:\Program Files\msedge_installer.log
                  Filesize

                  104KB

                  MD5

                  36b28b2280e5cb725d0846f61691ceb9

                  SHA1

                  24b29e78df9d3f72df1809d3affe3ddf113e6ba0

                  SHA256

                  2d0394e14ff0ce93dfdc4822436552de5af9c0963b0208b9b234679bc09b5cc5

                  SHA512

                  7e6bff265e9b9255ce5e11656f2c2b9dbc9c57b4b40d690e4497bcfe3e81d1a4c7f7fc43c8d1837775d587ba6630f05161071ec22ccf32b2f96e5805e8d37291

                  Download Submit

                • C:\Program Files\msedge_installer.log
                  Filesize

                  104KB

                  MD5

                  107fe610c0264cbd9c7044fcb5b7946c

                  SHA1

                  e7cba727a16fa78921e2bbb53b7e237e77e57eba

                  SHA256

                  9786ea77ea1df06831959e7feae91522507b136e38a6857c368f6b910539b200

                  SHA512

                  de6aa60cbd12e7d1805e427313d2e332b7418a4c8c3337ae43822886cd9ee3051d8b362628fda0634f66b43d2317b631c4546248c0de3db2cf5a79b9438ded17

                  Download Submit

                • C:\Program Files\msedge_installer.log
                  Filesize

                  112KB

                  MD5

                  2488a826f8d94b43b3a90f6cb0f6ea60

                  SHA1

                  8cf7c6df31dcfefa6c8a13788ef70ea1dadefe7c

                  SHA256

                  cc9835b6853fe05edff4624df47c3589d0aad90eb17d8cab84979c5d9b81dda8

                  SHA512

                  252608f7063c2eb820766d26c606903def0558670b90bbde30f6cd3f1aa7faf5f4c4f3dbbd49131cfe4f700702c6d57c81563ce919e0c5c2b9456662d1c3621f

                  Download Submit

                • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
                  Filesize

                  955KB

                  MD5

                  f29a79038e47db5b4b54adb1addf9b10

                  SHA1

                  885619788dd9e0b156db4350fdab218ab6b412a6

                  SHA256

                  9f9dc7de52ecba7bae65eb7b6f997931cb367d341b5f7382440662ae874feb21

                  SHA512

                  bac1bf86d9e9be13fe56bccec8117e08ce1d946d8efafa72aa61b859679dd406f166592deddb9a70f65cdcd2a3750a57aa63be29aced5019bdbff808a1c57de5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\excelsl.exe.log
                  Filesize

                  400B

                  MD5

                  0a9b4592cd49c3c21f6767c2dabda92f

                  SHA1

                  f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

                  SHA256

                  c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

                  SHA512

                  6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\34ALL5kXXkA7RWQp.exe
                  Filesize

                  366KB

                  MD5

                  f07d2c33e4afe36ec6f6f14f9a56e84a

                  SHA1

                  3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

                  SHA256

                  309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

                  SHA512

                  b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\51EZFdY4dfCSa7Ei.exe
                  Filesize

                  472KB

                  MD5

                  2819e45588024ba76f248a39d3e232ba

                  SHA1

                  08a797b87ecfbee682ce14d872177dae1a5a46a2

                  SHA256

                  b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

                  SHA512

                  a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
                  Filesize

                  3.7MB

                  MD5

                  9d2a888ca79e1ff3820882ea1d88d574

                  SHA1

                  112c38d80bf2c0d48256249bbabe906b834b1f66

                  SHA256

                  8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

                  SHA512

                  17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Ab6tt2WvkWkv7kKU.exe
                  Filesize

                  376KB

                  MD5

                  590acb5fa6b5c3001ebce3d67242aac4

                  SHA1

                  5df39906dc4e60f01b95783fc55af6128402d611

                  SHA256

                  7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509

                  SHA512

                  4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\SHUaLHWdDcqW3loY.exe
                  Filesize

                  336KB

                  MD5

                  e87459f61fd1f017d4bd6b0a1a1fc86a

                  SHA1

                  30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

                  SHA256

                  ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

                  SHA512

                  dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\bnGrgxSLvC7FoIQ7.exe
                  Filesize

                  742KB

                  MD5

                  3e804917c454ca31c1cbd602682542b7

                  SHA1

                  1df3e81b9d879e21af299f5478051b98f3cb7739

                  SHA256

                  f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

                  SHA512

                  28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\lPmftrjo4f4XVUvl.exe
                  Filesize

                  801KB

                  MD5

                  9133c2a5ebf3e25aceae5a001ca6f279

                  SHA1

                  319f911282f3cded94de3730fa0abd5dec8f14be

                  SHA256

                  7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

                  SHA512

                  1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpC7DF.tmp.bat
                  Filesize

                  153B

                  MD5

                  24a4f8537a8426f7bbc3a8d9aa524503

                  SHA1

                  032fa477a327847bec912a58d88c62ba28034b56

                  SHA256

                  4bd05ee2ff43249ea8f4f28e0bca78c7bb15f75edb1e07c60e4fac105d0d8cc2

                  SHA512

                  ebc8fc4fdf895df53342737795b2b2c470fbc95f04ef5c65cfe501b3e536b5da616e4d0b6ededc7c9725f63ac2bb339d96ae37571f747be79734b90c6ae85202

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\prndrvest.exe
                  Filesize

                  46.4MB

                  MD5

                  72611fb57daa0f97c0a1d70fa83e3cdd

                  SHA1

                  f1f81f8920a227e08eb6ca31b6821eaa0f5b04bf

                  SHA256

                  c8405d3e4dfcb20d3b9e22c518de2d29670ee2db96a44e4d032d77cc8f2e9e5f

                  SHA512

                  a13ab702ca6380c0465c446cce9eb059e416a9953d1c5fe647e187dadd747f27d717a3ebfb13001c3d31581849a60f02c1d4adb72bd7f3a8a66bd8eb567ff84e

                  Download Submit

                • memory/440-132-0x0000000000C80000-0x0000000000C81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1152-567-0x000002CF3B000000-0x000002CF3B249000-memory.dmp

                  Filesize

                  2.3MB

                  Download

                • memory/1152-565-0x000002CF39B10000-0x000002CF39B1A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1152-564-0x000002CF1F600000-0x000002CF1F60E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1152-566-0x000002CF39B40000-0x000002CF39B48000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1628-217-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2964-80-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/3700-122-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/3700-125-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/3700-127-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/3720-109-0x0000000000400000-0x000000000040F000-memory.dmp

                  Filesize

                  60KB

                  Download

                • memory/3720-112-0x0000000000400000-0x000000000040F000-memory.dmp

                  Filesize

                  60KB

                  Download

                • memory/3980-36-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3980-209-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3980-46-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3980-194-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3984-104-0x0000000000400000-0x0000000000554000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/3984-101-0x0000000000400000-0x0000000000554000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4160-73-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4160-70-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4160-58-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4160-195-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4272-218-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/4272-219-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/4272-214-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/4272-216-0x0000000000400000-0x00000000004BA000-memory.dmp

                  Filesize

                  744KB

                  Download

                • memory/4508-221-0x0000000009600000-0x000000000969C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/4508-85-0x0000000004F20000-0x0000000004F2A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4508-119-0x00000000048D0000-0x00000000048E2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4508-83-0x0000000005510000-0x0000000005AB4000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4508-82-0x00000000005B0000-0x0000000000614000-memory.dmp

                  Filesize

                  400KB

                  Download

                • memory/4508-84-0x0000000004E70000-0x0000000004F02000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4508-88-0x0000000006390000-0x00000000063B4000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/4508-220-0x0000000009280000-0x00000000092E6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/4588-228-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4696-87-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4696-1-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4696-2-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4696-4-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4696-0-0x0000000073F82000-0x0000000073F83000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4696-3-0x0000000073F82000-0x0000000073F83000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4696-5-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4808-98-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-116-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-115-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-117-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-113-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-106-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-100-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-232-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-229-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/4808-94-0x0000000000400000-0x00000000004C2000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/5080-79-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/5080-183-0x0000000073F80000-0x0000000074531000-memory.dmp

                  Filesize

                  5.7MB

                  Download