badrabbit | c5fe32e5de97a1c0ff01c7bcbc99d7086a485b6df9ac7cdb37e906f6e1d01da3

Resubmissions

26/02/2025, 06:37

250226-hdnk3svqw2 10

25/02/2025, 10:24

250225-mflaystny2 10

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Contract Action.pdf.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023b3c-20.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
2276	AE32.tmp

Loads dropped DLL 1 IoCs

pid	Process
3628	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\AE32.tmp	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3188	schtasks.exe
2600	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1064	EXCEL.EXE
384	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3628	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
2276	AE32.tmp
2276	AE32.tmp
2276	AE32.tmp
2276	AE32.tmp
2276	AE32.tmp
2276	AE32.tmp
4568	msedge.exe
4568	msedge.exe
3440	msedge.exe
3440	msedge.exe
1432	identity_helper.exe
1432	identity_helper.exe
2088	mspaint.exe
2088	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeTcbPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	2276	AE32.tmp

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
384	POWERPNT.EXE
384	POWERPNT.EXE
2088	mspaint.exe
100	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 3628	2076	Urgent Contract Action.pdf.exe	87
PID 2076 wrote to memory of 3628	2076	Urgent Contract Action.pdf.exe	87
PID 2076 wrote to memory of 3628	2076	Urgent Contract Action.pdf.exe	87
PID 3628 wrote to memory of 1444	3628	rundll32.exe	88
PID 3628 wrote to memory of 1444	3628	rundll32.exe	88
PID 3628 wrote to memory of 1444	3628	rundll32.exe	88
PID 1444 wrote to memory of 2052	1444	cmd.exe	90
PID 1444 wrote to memory of 2052	1444	cmd.exe	90
PID 1444 wrote to memory of 2052	1444	cmd.exe	90
PID 3628 wrote to memory of 1248	3628	rundll32.exe	98
PID 3628 wrote to memory of 1248	3628	rundll32.exe	98
PID 3628 wrote to memory of 1248	3628	rundll32.exe	98
PID 3628 wrote to memory of 2320	3628	rundll32.exe	102
PID 3628 wrote to memory of 2320	3628	rundll32.exe	102
PID 3628 wrote to memory of 2320	3628	rundll32.exe	102
PID 3628 wrote to memory of 2276	3628	rundll32.exe	103
PID 3628 wrote to memory of 2276	3628	rundll32.exe	103
PID 1248 wrote to memory of 3188	1248	cmd.exe	106
PID 1248 wrote to memory of 3188	1248	cmd.exe	106
PID 1248 wrote to memory of 3188	1248	cmd.exe	106
PID 2320 wrote to memory of 2600	2320	cmd.exe	107
PID 2320 wrote to memory of 2600	2320	cmd.exe	107
PID 2320 wrote to memory of 2600	2320	cmd.exe	107
PID 3440 wrote to memory of 4884	3440	msedge.exe	132
PID 3440 wrote to memory of 4884	3440	msedge.exe	132
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133
PID 3440 wrote to memory of 3876	3440	msedge.exe	133

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2034469617 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2034469617 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:42:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:42:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2600
- - C:\Windows\AE32.tmp
    "C:\Windows\AE32.tmp" \\.\pipe\{B7A20C24-724B-45A8-9765-CFE474947981}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\InstallRedo.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\WriteRepair.ppsx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85b3446f8,0x7ff85b344708,0x7ff85b344718
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8294666650974306047,9014011203280525576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3028

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CheckpointRepair.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
666eb911a4bd3bcfa9b661d68d329c7a

SHA1
acb5ea1e138818d013c6a18f3bb2f7721d4ee65e

SHA256
0faa665dc3956263f46de1220baf161bc02af991ba8eee0233bf11b66d457d70

SHA512
110bea7ed5ffb102cc930613e021ef9a4d3c8f51e0884817897b4988a6b05be982e06a3fa2ff4fa9d72491dc7d0a898e015fb0c00f8928cd0bb67ed8bdf9e5ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
21dbace18c1ec1c068b499d7568a7c55

SHA1
ea36b713aaca431d36a8b2c70cb56a86d8664f83

SHA256
e37b6de87b8743904983d6a54e58184f909652ffb3adbff1176c47fa1c850df5

SHA512
b40c0a0902a78ce622f68966d791cde8cdae347e6440dcc4fb042fa185203a8dec89a9e35cc5945cb9f5f9e9d99bcc463285788e76163d3e3745700f6b01041b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
1f1a5bd81fb79bb3fd790b7f6433cfd3

SHA1
467db1b17bb5d8ec7317ab9552fbe69a39cb2eb9

SHA256
fed3627f31203285d6fe9606df233ab119b2d0257ea30f7e524f5ccd84374b67

SHA512
2747cbdf3f2def1363f84dd6d6a621a063ae84aacffb785939d43c80bbfad52e46f7266c856815c770b78442c8413066a491d433300152eb45cb083c006bd809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
e71e061d3901c88fb1d7534bb715ac17

SHA1
12749841fb3c13e8fd142610abc3ea17ad9ed7dd

SHA256
47e5efd77e73d1a939251d0607dc59749d6e3f57faaa3d1d29889792204369da

SHA512
9b7811304fbe4ddf43d071dcc80b362f81c1e4b472f307a459983a7e6a6d40af32410c2e1fec07c23572ea3ac19b45ee670d8faa11fd3ae5755f2f16d274253a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e1a75938530b25342a3df34ff0787e8

SHA1
bd750fad61b359b5ebc2b91f2f6cb3a21fd20606

SHA256
f4f98c5833fceaa91806ced8f153589f81f55e9e93d175a43ce728e2da7817a0

SHA512
3c9e2cf83575a55810a229ce0798dfad6863a96672f5c97bcd6674d8219fcbe8b4be4bd73a54f8f2ee78bdeebd28ebf2fc11629741f76cfbc814847c7bf96f15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4f2781bcac6f682a66d3ff337640bdf

SHA1
e4cf7786c315c48bcc40e77d613d8e426925b29b

SHA256
629f34fb0e0dd0dbc6b74ba7184fed62e41984ba318930532d92a653ff3f633b

SHA512
972875c7843553287ad4282ce9edd7bf1547e68e68f28239c8b6080c56dcb1f3c1b94815eb9e913b8edb5d97505160f28d93888e20f3fe72166a5d2a1e0ff488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe593a11.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fdf740dd632c148fb75f475b95eb92cb

SHA1
8897a8a228ded89fced9fb6ac4838a8a39787b2d

SHA256
5b0f92cc953c5a690db476de179e304683d764d7b254bd603ea7ba4f25a0ef0b

SHA512
c4a3c9cac2f6ad05ea5cf2c79581c132aac5c55dea089406aa071b7bfb08b8c380850bf2caa7ba6ead470a824f7216665c9d8d6039757f2ced21d922ac8b3c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C8C739F4-B81E-4687-AFF8-DE1BC388E39F

Filesize
177KB

MD5
c08719a0353f1057001fe7b947538c71

SHA1
8356242b5560aaa0d9aa45033b16e1f98589d434

SHA256
9a3e409ee15071d1a4131b0edf6b6c873d5798823dc0cafcee0295dd906a5c1a

SHA512
4416222b1fbd2b303aaa27a73bda2f28d790fdbac7cc9b508879144c314e5476e509c1971f434bdb9406b5687afa5805f5cc94a797c0347e68575becd22131f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
01878df664d444f1ea5b68fff60b9815

SHA1
cff56c07dd1e829ac982b5fe7fb5b5acd5a79179

SHA256
ec685aa8bbd7623c2f494f07b12af588157ecfb1e092b3b706ffcc5eb6b3cce5

SHA512
594d85c09886b3122f52492836eb705ddb398ee908222b1ec02bd4233479e3be5ea886ca425c84fef3c65401c9d70524b667e71ced523697fe03053bfb5059b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
ab746bc9abb6f03226334a4710d4ab26

SHA1
b2493b8dee5f236634b457866f6f393da0be2434

SHA256
24f53ba3924051b8b101d7de7e1534eb4657c50d6c96629b938d4a18d96c36e4

SHA512
510f582353a44f83e0e4019b23a8c0aa2422de8906a785b0f4e18471561d02f51c2099e8873d403c43ac9d2042ee76a6b8cfd2978e9017d69a4b512948b9449a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
56447e67bcc3bcceeb84d69cf56f5613

SHA1
a6b43b1702121b526d1a3abb1aca0bc06a2f4758

SHA256
b4ecd5d0d5e9aaee450fd19d126367ba467b6315a8a5bae42786a05b5277d38b

SHA512
973527df52b84d589c07b8fad16e4460f9cb32850b3dfe0cdf0003b0ac25646e01e90cea86d16b86bd259ce8aa8afc5c1a4d3476de14410249dbfaa80b3f62b4

Download Submit
C:\Windows\AE32.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/384-98-0x00007FF8376D0000-0x00007FF8376E0000-memory.dmp

Filesize
64KB

Download
memory/384-120-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-97-0x00007FF8376D0000-0x00007FF8376E0000-memory.dmp

Filesize
64KB

Download
memory/384-93-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-94-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-95-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-92-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-96-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-119-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-117-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/384-118-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-90-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-48-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-91-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-89-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-51-0x00007FF8376D0000-0x00007FF8376E0000-memory.dmp

Filesize
64KB

Download
memory/1064-50-0x00007FF8376D0000-0x00007FF8376E0000-memory.dmp

Filesize
64KB

Download
memory/1064-49-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-88-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-46-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-47-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/1064-45-0x00007FF83A030000-0x00007FF83A040000-memory.dmp

Filesize
64KB

Download
memory/3108-281-0x000001E3F8B60000-0x000001E3F8B70000-memory.dmp

Filesize
64KB

Download
memory/3108-277-0x000001E3F83B0000-0x000001E3F83C0000-memory.dmp

Filesize
64KB

Download
memory/3628-14-0x0000000000EC0000-0x0000000000F28000-memory.dmp

Filesize
416KB

Download
memory/3628-11-0x0000000000EC0000-0x0000000000F28000-memory.dmp

Filesize
416KB

Download
memory/3628-3-0x0000000000EC0000-0x0000000000F28000-memory.dmp

Filesize
416KB

Download