gh0strat | 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb

Analysis

max time kernel
141s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
Size

2.1MB
MD5

9abbbab52c30fb0354096330e4af439a
SHA1

371e920401ffa2f46d3643a3fe86654b2f627198
SHA256

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb
SHA512

9b949ade92369d47a77891323b3577c09e0a0dc443a218e1a7b0c1d63455a38869a65c5d98b9c253f92ccbd3062e34fb9e06adfc16786970d3b1c75480424855
SSDEEP

24576:k09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+ZY83qV49:k09XJt4HIN2H2tFvduyS//ae

Score

10^/10

gh0strat purplefox discovery evasion persistence rat rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

TXPlatforn.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 21 IoCs

Processes:

RVN.exeTXPlatforn.exeHD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeTXPlatforn.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	process
1516	RVN.exe
1636	TXPlatforn.exe
208	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2476	TXPlatforn.exe
2180	msedge.exe
4860	RVN.exe
4028	TXPlatforn.exe
5084	TXPlatforn.exe
3684	HD_msedge.exe
2528	HD_msedge.exe
2200	HD_msedge.exe
3220	HD_msedge.exe
4648	HD_msedge.exe
1888	HD_msedge.exe
3408	HD_msedge.exe
2876	HD_msedge.exe
1848	HD_msedge.exe
212	HD_msedge.exe
5092	HD_msedge.exe
4180	HD_msedge.exe
4104	HD_msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1516-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1636-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HD_msedge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 7 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1524 PING.EXE
1504 PING.EXE

pid	process
1524	PING.EXE
1504	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exe

pid	process
2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2180	msedge.exe
2180	msedge.exe
3220	HD_msedge.exe
3220	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe
4104	HD_msedge.exe
4104	HD_msedge.exe
4104	HD_msedge.exe
4104	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2476 TXPlatforn.exe

pid	process
2476	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RVN.exeTXPlatforn.exeRVN.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1516	RVN.exe
Token: SeLoadDriverPrivilege	2476	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4860	RVN.exe
Token: 33	2476	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2476	TXPlatforn.exe
Token: 33	2476	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2476	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	process
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	process
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe
3684	HD_msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exe

pid process

2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2180 msedge.exe
2180 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeRVN.exeTXPlatforn.execmd.exeHD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exeTXPlatforn.exeRVN.execmd.exeHD_msedge.exe

description	pid	process	target process
PID 2296 wrote to memory of 1516	2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 2296 wrote to memory of 1516	2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 2296 wrote to memory of 1516	2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1516 wrote to memory of 3928	1516	RVN.exe	cmd.exe
PID 1516 wrote to memory of 3928	1516	RVN.exe	cmd.exe
PID 1516 wrote to memory of 3928	1516	RVN.exe	cmd.exe
PID 1636 wrote to memory of 2476	1636	TXPlatforn.exe	TXPlatforn.exe
PID 1636 wrote to memory of 2476	1636	TXPlatforn.exe	TXPlatforn.exe
PID 1636 wrote to memory of 2476	1636	TXPlatforn.exe	TXPlatforn.exe
PID 2296 wrote to memory of 208	2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
PID 2296 wrote to memory of 208	2296	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
PID 3928 wrote to memory of 1524	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 1524	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 1524	3928	cmd.exe	PING.EXE
PID 208 wrote to memory of 2180	208	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	msedge.exe
PID 208 wrote to memory of 2180	208	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	msedge.exe
PID 208 wrote to memory of 2180	208	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	msedge.exe
PID 2180 wrote to memory of 4860	2180	msedge.exe	RVN.exe
PID 2180 wrote to memory of 4860	2180	msedge.exe	RVN.exe
PID 2180 wrote to memory of 4860	2180	msedge.exe	RVN.exe
PID 4028 wrote to memory of 5084	4028	TXPlatforn.exe	TXPlatforn.exe
PID 4028 wrote to memory of 5084	4028	TXPlatforn.exe	TXPlatforn.exe
PID 4028 wrote to memory of 5084	4028	TXPlatforn.exe	TXPlatforn.exe
PID 4860 wrote to memory of 4788	4860	RVN.exe	cmd.exe
PID 4860 wrote to memory of 4788	4860	RVN.exe	cmd.exe
PID 4860 wrote to memory of 4788	4860	RVN.exe	cmd.exe
PID 2180 wrote to memory of 3684	2180	msedge.exe	HD_msedge.exe
PID 2180 wrote to memory of 3684	2180	msedge.exe	HD_msedge.exe
PID 4788 wrote to memory of 1504	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 1504	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 1504	4788	cmd.exe	PING.EXE
PID 3684 wrote to memory of 2528	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2528	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe
PID 3684 wrote to memory of 2200	3684	HD_msedge.exe	HD_msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HD_msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
"C:\Users\Admin\AppData\Local\Temp\0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1524

C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
5⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd952e46f8,0x7ffd952e4708,0x7ffd952e4718
5⤵
- Executes dropped EXE
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
5⤵
- Executes dropped EXE
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
5⤵
- Executes dropped EXE
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
5⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Filesize
4.7MB

MD5
5c0cc33ccd8a4109d8939cf5c7ccc959

SHA1
ff517abb56cd51686eaa1027e3bc69fbfc21381f

SHA256
b9671f0f01cd272890f2ee5e01f7ed6e94eb8da604ed82ec873b24b95e48d699

SHA512
7751eb09637819e6939cd9e70414942dfa2ffed61d57d95b56ebb7e22579bdfb861edfe25ef88e9ff763f1d1212679bb05985239b5974e23d6bf0ce1bec062fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
23bc7281c7e67915655e31d9491d872e

SHA1
9087558b1ee7963ce0f54d4f8cf9a9933a9ce337

SHA256
535a2139340c7ae33330386aad8ef20d9a356ff5456030a85596e69864c0eff0

SHA512
018760434309a97a2a3794d31c6acd7b0d4aea71bada862362f92657c24a2decef0f14e25b2eb816b35e51821b7f869abe5ff09b18003a4a97a1b3fc7810f070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
eee2f42ca0dbbdffd342c419f1224833

SHA1
fa341ece4577fb66bb653bf10e7408f86c389c8b

SHA256
36f4109b396311d7d9ab0733576dded78a03883ef34b63c4a2dabac5521a40dd

SHA512
b786f6704d7fbee1622bd73e3b24693d91a046aa10a4bb3cd5f4a2318c05262016e1f0bccc5bdec041f2fa4e31e4a44b064a4fc9a3d17db078730beb86098117

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
Filesize
644KB

MD5
f425849e05301fd33488dfc5a81f3ef5

SHA1
ff887ef2d9f5134a9afb0223f2363bd02a0425d2

SHA256
67f7a19691a795d39de97cb2e5aa02461b2529b14c3d46e5e41a1df255c54730

SHA512
11b2ee9cd829c472819c281fc6a3d0f78ddf133fa50e63d6ef8ed5161451a0acc3059948b7a8f2f57d9646d34289f0a23f7ec00e8bf8e53cabbe0834d25d37e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.5MB

MD5
4a2aecb824ab51d6ce24f25babe7c0a1

SHA1
9bc679a003d220d86975dbc23a5ce997ac224855

SHA256
019608b79fae2894575c34bfeab3cbc72f6f2d5b6c7ddb6e509003062b829b8a

SHA512
616612df3dbea44c4e2652c5598346dc2c06eef7ace65a6f46eee7cad8aa4fa5c9725ce96ac345ab3efd3120d7864d93a3d06ad3cf2819b8ebfac65bd3ed6dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\??\pipe\LOCAL\crashpad_3684_HZRERXWXQWODXTOK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-195-0x0000020AB5E00000-0x0000020AB5E9E000-memory.dmp

Filesize
632KB

Download
memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1636-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1848-267-0x000001E0F8AD0000-0x000001E0F8B6E000-memory.dmp

Filesize
632KB

Download
memory/1848-249-0x000001E0F8AD0000-0x000001E0F8B6E000-memory.dmp

Filesize
632KB

Download
memory/1848-223-0x000001E0F8AD0000-0x000001E0F8B6E000-memory.dmp

Filesize
632KB

Download
memory/1888-154-0x000001A812520000-0x000001A8125BE000-memory.dmp

Filesize
632KB

Download
memory/2200-121-0x00007FFDA1D30000-0x00007FFDA1D31000-memory.dmp

Filesize
4KB

Download
memory/2200-247-0x000001EF9FE10000-0x000001EF9FEAE000-memory.dmp

Filesize
632KB

Download
memory/2200-215-0x000001EF9FE10000-0x000001EF9FEAE000-memory.dmp

Filesize
632KB

Download
memory/2200-224-0x000001EF9FE10000-0x000001EF9FEAE000-memory.dmp

Filesize
632KB

Download
memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2876-180-0x0000024B5CED0000-0x0000024B5CF6E000-memory.dmp

Filesize
632KB

Download
memory/3408-157-0x0000023A3BCD0000-0x0000023A3BD6E000-memory.dmp

Filesize
632KB

Download
memory/4180-226-0x0000027E2B100000-0x0000027E2B19E000-memory.dmp

Filesize
632KB

Download
memory/4180-250-0x0000027E2B100000-0x0000027E2B19E000-memory.dmp

Filesize
632KB

Download
memory/4648-248-0x000001E5F7AD0000-0x000001E5F7B6E000-memory.dmp

Filesize
632KB

Download
memory/4648-216-0x000001E5F7AD0000-0x000001E5F7B6E000-memory.dmp

Filesize
632KB

Download
memory/5092-197-0x00000133F84D0000-0x00000133F856E000-memory.dmp

Filesize
632KB

Download