72bf432b0b9e05ee2004b814e9613bfdd9e63631d329b0d569243521cf909189

Analysis

max time kernel
1181s
max time network
1200s
platform
windows10_x64
resource
win10v20201028
submitted
25-01-2021 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vkgen_updatepackage.exe
Size

6.3MB
MD5

1fc199037d6e817b653150e4968d8abe
SHA1

a75ab30f801b0fbc5263e6492780e752c41fdf35
SHA256

72bf432b0b9e05ee2004b814e9613bfdd9e63631d329b0d569243521cf909189
SHA512

ddc42e692938b1e4ce4079cb24bb4df2e9c5a6cae6cd8713aad747667cbbb70a52386bc0742f598274426c09785b7a468e874ee257fe94a845e3afddd62d64f3

Score

10^/10

ransomware vmprotect

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1780 created 380 1780 WerFault.exe vkgen_updatepackage.exe

description	pid	process	target process
PID 1780 created 380	1780	WerFault.exe	vkgen_updatepackage.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/4764-3-0x00000000005E0000-0x00000000005E1000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
704	4764	WerFault.exe	vkgen_updatepackage.exe
2916	380	WerFault.exe	vkgen_updatepackage.exe
4584	4548	WerFault.exe	vkgen_updatepackage.exe
1780	380	WerFault.exe	vkgen_updatepackage.exe
1184	2124	WerFault.exe	vkgen_updatepackage.exe
4440	4292	WerFault.exe	vkgen_updatepackage.exe
676	4624	WerFault.exe	vkgen_updatepackage.exe
2008	988	WerFault.exe	vkgen_updatepackage.exe
1336	3328	WerFault.exe	vkgen_updatepackage.exe
1400	4940	WerFault.exe	vkgen_updatepackage.exe
2836	2588	WerFault.exe	vkgen_updatepackage.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors MicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 235 IoCs

Processes:

firefox.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1\0\0\0\0\0 = 4e00310000000000395258a0100054656d7000003a0009000400efbe5c512091395258a02e0000003c5301000000010000000000000000000000000000003ef06d00540065006d007000000014000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1\0\0\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000007ca591444e9edad2eebf90744137eb54043dd521c2e7daf57bb36efb51ecf48fc56d0d247565726e460a2848c877ebe9a71b3b2e1f6bcf87f1c87bdb5ccdcdf9786b226d9d8d521ee831aa3b4857546dc68e821c47d317e7b9ae	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 0000000001000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1\0\0 = 50003100000000005c51559d100041646d696e003c0009000400efbe5c5120915c51559d2e0000001d530100000001000000000000000000000000000000e6751c01410064006d0069006e00000014000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{87FD469D-8550-47A5-895E-A41BEAA68E73}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1\0 = 78003100000000005c5120911100557365727300640009000400efbe724a0b5d5c5120912e000000320500000000010000000000000000003a00000000007288330055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe

Suspicious behavior: EnumeratesProcesses 1961 IoCs

Processes:

vkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exe

pid	process
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
4764	vkgen_updatepackage.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
4548	vkgen_updatepackage.exe
4548	vkgen_updatepackage.exe
4548	vkgen_updatepackage.exe
4548	vkgen_updatepackage.exe
4548	vkgen_updatepackage.exe
4548	vkgen_updatepackage.exe
4548	vkgen_updatepackage.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4736 MicrosoftEdgeCP.exe
4736 MicrosoftEdgeCP.exe

pid	process
4736	MicrosoftEdgeCP.exe
4736	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

vkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exevkgen_updatepackage.exeWerFault.exeWerFault.exeWerFault.exevkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exeWerFault.exevkgen_updatepackage.exeWerFault.exeMicrosoftEdge.exeMicrosoftEdgeCP.exevkgen_updatepackage.exeWerFault.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4764	vkgen_updatepackage.exe
Token: SeRestorePrivilege	704	WerFault.exe
Token: SeBackupPrivilege	704	WerFault.exe
Token: SeDebugPrivilege	704	WerFault.exe
Token: SeDebugPrivilege	4548	vkgen_updatepackage.exe
Token: SeDebugPrivilege	380	vkgen_updatepackage.exe
Token: SeDebugPrivilege	2916	WerFault.exe
Token: SeDebugPrivilege	4584	WerFault.exe
Token: SeDebugPrivilege	1780	WerFault.exe
Token: SeDebugPrivilege	2124	vkgen_updatepackage.exe
Token: SeDebugPrivilege	1184	WerFault.exe
Token: SeDebugPrivilege	4292	vkgen_updatepackage.exe
Token: SeDebugPrivilege	4440	WerFault.exe
Token: SeDebugPrivilege	4624	vkgen_updatepackage.exe
Token: SeDebugPrivilege	676	WerFault.exe
Token: SeDebugPrivilege	988	vkgen_updatepackage.exe
Token: SeDebugPrivilege	2008	WerFault.exe
Token: SeDebugPrivilege	3328	vkgen_updatepackage.exe
Token: SeDebugPrivilege	1336	WerFault.exe
Token: SeDebugPrivilege	4940	vkgen_updatepackage.exe
Token: SeDebugPrivilege	1400	WerFault.exe
Token: SeDebugPrivilege	4904	MicrosoftEdge.exe
Token: SeDebugPrivilege	4904	MicrosoftEdge.exe
Token: SeDebugPrivilege	4904	MicrosoftEdge.exe
Token: SeDebugPrivilege	4904	MicrosoftEdge.exe
Token: SeDebugPrivilege	4980	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4980	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4980	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4980	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4904	MicrosoftEdge.exe
Token: SeDebugPrivilege	2588	vkgen_updatepackage.exe
Token: SeDebugPrivilege	2836	WerFault.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe
Token: SeDebugPrivilege	1484	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1484 firefox.exe
1484 firefox.exe
1484 firefox.exe
1484 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1484 firefox.exe
1484 firefox.exe
1484 firefox.exe

pid	process
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe

pid	process
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exefirefox.exe

pid	process
4904	MicrosoftEdge.exe
4736	MicrosoftEdgeCP.exe
4736	MicrosoftEdgeCP.exe
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe
1484	firefox.exe

Suspicious use of WriteProcessMemory 146 IoCs

Processes:

MicrosoftEdgeCP.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4736 wrote to memory of 4980	4736	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4736 wrote to memory of 4980	4736	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4736 wrote to memory of 4980	4736	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4736 wrote to memory of 4980	4736	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4736 wrote to memory of 4980	4736	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4736 wrote to memory of 4980	4736	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 1484	3576	firefox.exe	firefox.exe
PID 1484 wrote to memory of 4460	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 4460	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3344	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3236	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3236	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3236	1484	firefox.exe	firefox.exe
PID 1484 wrote to memory of 3236	1484	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 2168
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 2252
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 2248
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1980
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2032
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1896
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2180
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 2036
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2076
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 2140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe
"C:\Users\Admin\AppData\Local\Temp\vkgen_updatepackage.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 2272
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1484.0.365554695\1608514037" -parentBuildID 20200403170909 -prefsHandle 1536 -prefMapHandle 1528 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1484 "\\.\pipe\gecko-crash-server-pipe.1484" 1628 gpu
3⤵
PID:4460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1484.3.1709074083\1183651794" -childID 1 -isForBrowser -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1484 "\\.\pipe\gecko-crash-server-pipe.1484" 2260 tab
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1484.13.157373985\1805608861" -childID 2 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1484 "\\.\pipe\gecko-crash-server-pipe.1484" 3332 tab
3⤵
PID:3236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1484.20.2060882621\253041381" -childID 3 -isForBrowser -prefsHandle 4160 -prefMapHandle 4800 -prefsLen 8126 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1484 "\\.\pipe\gecko-crash-server-pipe.1484" 4812 tab
3⤵
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-102-0x000000000A588000-0x000000000A589000-memory.dmp

Filesize
4KB

Download
memory/380-126-0x000000000A588000-0x000000000A58E000-memory.dmp

Filesize
24KB

Download
memory/380-137-0x000000000C562000-0x000000000C56A000-memory.dmp

Filesize
32KB

Download
memory/380-121-0x000000000C571000-0x000000000C576000-memory.dmp

Filesize
20KB

Download
memory/380-127-0x000000000C579000-0x000000000C57A000-memory.dmp

Filesize
4KB

Download
memory/380-118-0x000000000C561000-0x000000000C566000-memory.dmp

Filesize
20KB

Download
memory/380-117-0x000000000C56F000-0x000000000C570000-memory.dmp

Filesize
4KB

Download
memory/380-116-0x000000000C567000-0x000000000C56C000-memory.dmp

Filesize
20KB

Download
memory/380-115-0x000000000C56C000-0x000000000C571000-memory.dmp

Filesize
20KB

Download
memory/380-111-0x000000000C564000-0x000000000C567000-memory.dmp

Filesize
12KB

Download
memory/380-131-0x000000000A588000-0x000000000A58E000-memory.dmp

Filesize
24KB

Download
memory/380-134-0x000000000C562000-0x000000000C566000-memory.dmp

Filesize
16KB

Download
memory/380-105-0x000000000C560000-0x000000000C564000-memory.dmp

Filesize
16KB

Download
memory/380-103-0x000000000A589000-0x000000000A58F000-memory.dmp

Filesize
24KB

Download
memory/380-156-0x000000000C572000-0x000000000C57A000-memory.dmp

Filesize
32KB

Download
memory/380-123-0x000000000C576000-0x000000000C57B000-memory.dmp

Filesize
20KB

Download
memory/380-99-0x000000000A587000-0x000000000A588000-memory.dmp

Filesize
4KB

Download
memory/380-98-0x000000000A586000-0x000000000A587000-memory.dmp

Filesize
4KB

Download
memory/380-97-0x000000000A585000-0x000000000A586000-memory.dmp

Filesize
4KB

Download
memory/380-93-0x000000000A583000-0x000000000A585000-memory.dmp

Filesize
8KB

Download
memory/380-92-0x000000000A580000-0x000000000A581000-memory.dmp

Filesize
4KB

Download
memory/380-168-0x000000000C561000-0x000000000C562000-memory.dmp

Filesize
4KB

Download
memory/380-82-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/380-140-0x000000000C562000-0x000000000C570000-memory.dmp

Filesize
56KB

Download
memory/380-141-0x000000000C561000-0x000000000C563000-memory.dmp

Filesize
8KB

Download
memory/380-143-0x000000000A588000-0x000000000A58B000-memory.dmp

Filesize
12KB

Download
memory/380-146-0x000000000A58A000-0x000000000A58E000-memory.dmp

Filesize
16KB

Download
memory/380-154-0x000000000A588000-0x000000000A58E000-memory.dmp

Filesize
24KB

Download
memory/676-326-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/704-24-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/988-350-0x000000000C374000-0x000000000C377000-memory.dmp

Filesize
12KB

Download
memory/988-345-0x0000000003746000-0x0000000003747000-memory.dmp

Filesize
4KB

Download
memory/988-349-0x000000000C370000-0x000000000C374000-memory.dmp

Filesize
16KB

Download
memory/988-352-0x000000000C37A000-0x000000000C37F000-memory.dmp

Filesize
20KB

Download
memory/988-351-0x000000000C377000-0x000000000C37A000-memory.dmp

Filesize
12KB

Download
memory/988-353-0x000000000C37F000-0x000000000C384000-memory.dmp

Filesize
20KB

Download
memory/988-348-0x0000000003749000-0x000000000374F000-memory.dmp

Filesize
24KB

Download
memory/988-329-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/988-340-0x0000000003743000-0x0000000003745000-memory.dmp

Filesize
8KB

Download
memory/988-338-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/988-341-0x0000000003748000-0x0000000003749000-memory.dmp

Filesize
4KB

Download
memory/988-343-0x0000000003745000-0x0000000003746000-memory.dmp

Filesize
4KB

Download
memory/988-346-0x0000000003747000-0x0000000003748000-memory.dmp

Filesize
4KB

Download
memory/1184-249-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/1336-382-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/1400-411-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1484-455-0x0000000000000000-mapping.dmp

Download
memory/1780-209-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2008-354-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2124-243-0x000000000C171000-0x000000000C178000-memory.dmp

Filesize
28KB

Download
memory/2124-244-0x000000000C17D000-0x000000000C182000-memory.dmp

Filesize
20KB

Download
memory/2124-233-0x000000000C174000-0x000000000C177000-memory.dmp

Filesize
12KB

Download
memory/2124-232-0x000000000C170000-0x000000000C174000-memory.dmp

Filesize
16KB

Download
memory/2124-230-0x00000000038A9000-0x00000000038AF000-memory.dmp

Filesize
24KB

Download
memory/2124-229-0x00000000038A8000-0x00000000038A9000-memory.dmp

Filesize
4KB

Download
memory/2124-225-0x00000000038A6000-0x00000000038A7000-memory.dmp

Filesize
4KB

Download
memory/2124-224-0x00000000038A7000-0x00000000038A8000-memory.dmp

Filesize
4KB

Download
memory/2124-248-0x000000000C171000-0x000000000C174000-memory.dmp

Filesize
12KB

Download
memory/2124-221-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/2124-234-0x000000000C177000-0x000000000C17C000-memory.dmp

Filesize
20KB

Download
memory/2124-222-0x00000000038A3000-0x00000000038A5000-memory.dmp

Filesize
8KB

Download
memory/2124-235-0x000000000C17C000-0x000000000C181000-memory.dmp

Filesize
20KB

Download
memory/2124-236-0x000000000C181000-0x000000000C186000-memory.dmp

Filesize
20KB

Download
memory/2124-223-0x00000000038A5000-0x00000000038A6000-memory.dmp

Filesize
4KB

Download
memory/2124-238-0x000000000C175000-0x000000000C17E000-memory.dmp

Filesize
36KB

Download
memory/2124-247-0x000000000C185000-0x000000000C18A000-memory.dmp

Filesize
20KB

Download
memory/2124-245-0x000000000C17D000-0x000000000C18A000-memory.dmp

Filesize
52KB

Download
memory/2124-237-0x00000000038AC000-0x00000000038AE000-memory.dmp

Filesize
8KB

Download
memory/2124-246-0x00000000038A6000-0x00000000038A7000-memory.dmp

Filesize
4KB

Download
memory/2124-240-0x000000000C186000-0x000000000C18B000-memory.dmp

Filesize
20KB

Download
memory/2124-212-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-242-0x00000000038AC000-0x00000000038AE000-memory.dmp

Filesize
8KB

Download
memory/2124-241-0x00000000038A6000-0x00000000038A7000-memory.dmp

Filesize
4KB

Download
memory/2124-239-0x000000000C183000-0x000000000C185000-memory.dmp

Filesize
8KB

Download
memory/2588-432-0x000000000A177000-0x000000000A178000-memory.dmp

Filesize
4KB

Download
memory/2588-437-0x000000000C1F7000-0x000000000C1FA000-memory.dmp

Filesize
12KB

Download
memory/2588-438-0x000000000C1FA000-0x000000000C1FD000-memory.dmp

Filesize
12KB

Download
memory/2588-441-0x000000000C1F1000-0x000000000C1F5000-memory.dmp

Filesize
16KB

Download
memory/2588-431-0x000000000A176000-0x000000000A177000-memory.dmp

Filesize
4KB

Download
memory/2588-436-0x000000000C1F4000-0x000000000C1F7000-memory.dmp

Filesize
12KB

Download
memory/2588-442-0x000000000C1F1000-0x000000000C1F6000-memory.dmp

Filesize
20KB

Download
memory/2588-430-0x000000000A175000-0x000000000A176000-memory.dmp

Filesize
4KB

Download
memory/2588-435-0x000000000C1F0000-0x000000000C1F4000-memory.dmp

Filesize
16KB

Download
memory/2588-434-0x000000000A179000-0x000000000A17F000-memory.dmp

Filesize
24KB

Download
memory/2588-444-0x000000000C1F9000-0x000000000C202000-memory.dmp

Filesize
36KB

Download
memory/2588-445-0x000000000A179000-0x000000000A17E000-memory.dmp

Filesize
20KB

Download
memory/2588-440-0x000000000C202000-0x000000000C207000-memory.dmp

Filesize
20KB

Download
memory/2588-439-0x000000000C1FD000-0x000000000C202000-memory.dmp

Filesize
20KB

Download
memory/2588-443-0x000000000A179000-0x000000000A17E000-memory.dmp

Filesize
20KB

Download
memory/2588-446-0x000000000C1F1000-0x000000000C1F8000-memory.dmp

Filesize
28KB

Download
memory/2588-415-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-454-0x000000000C201000-0x000000000C202000-memory.dmp

Filesize
4KB

Download
memory/2588-429-0x000000000A178000-0x000000000A179000-memory.dmp

Filesize
4KB

Download
memory/2588-428-0x000000000A173000-0x000000000A175000-memory.dmp

Filesize
8KB

Download
memory/2588-426-0x000000000A170000-0x000000000A171000-memory.dmp

Filesize
4KB

Download
memory/2836-447-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2916-161-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2916-166-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3236-458-0x0000000000000000-mapping.dmp

Download
memory/3328-378-0x000000000BF24000-0x000000000BF27000-memory.dmp

Filesize
12KB

Download
memory/3328-377-0x000000000BF20000-0x000000000BF24000-memory.dmp

Filesize
16KB

Download
memory/3328-366-0x0000000009E60000-0x0000000009E61000-memory.dmp

Filesize
4KB

Download
memory/3328-367-0x0000000009E63000-0x0000000009E65000-memory.dmp

Filesize
8KB

Download
memory/3328-381-0x000000000BF2F000-0x000000000BF34000-memory.dmp

Filesize
20KB

Download
memory/3328-380-0x000000000BF2A000-0x000000000BF2F000-memory.dmp

Filesize
20KB

Download
memory/3328-379-0x000000000BF27000-0x000000000BF2A000-memory.dmp

Filesize
12KB

Download
memory/3328-357-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/3328-372-0x0000000009E66000-0x0000000009E67000-memory.dmp

Filesize
4KB

Download
memory/3328-375-0x0000000009E69000-0x0000000009E6F000-memory.dmp

Filesize
24KB

Download
memory/3328-374-0x0000000009E68000-0x0000000009E69000-memory.dmp

Filesize
4KB

Download
memory/3328-373-0x0000000009E67000-0x0000000009E68000-memory.dmp

Filesize
4KB

Download
memory/3328-371-0x0000000009E65000-0x0000000009E66000-memory.dmp

Filesize
4KB

Download
memory/3344-457-0x0000000000000000-mapping.dmp

Download
memory/4004-459-0x0000000000000000-mapping.dmp

Download
memory/4292-273-0x000000000C414000-0x000000000C417000-memory.dmp

Filesize
12KB

Download
memory/4292-268-0x000000000A426000-0x000000000A427000-memory.dmp

Filesize
4KB

Download
memory/4292-279-0x000000000C41B000-0x000000000C422000-memory.dmp

Filesize
28KB

Download
memory/4292-281-0x000000000C411000-0x000000000C414000-memory.dmp

Filesize
12KB

Download
memory/4292-282-0x000000000C411000-0x000000000C418000-memory.dmp

Filesize
28KB

Download
memory/4292-283-0x000000000A429000-0x000000000A42E000-memory.dmp

Filesize
20KB

Download
memory/4292-264-0x000000000A420000-0x000000000A421000-memory.dmp

Filesize
4KB

Download
memory/4292-287-0x000000000C419000-0x000000000C422000-memory.dmp

Filesize
36KB

Download
memory/4292-278-0x000000000A429000-0x000000000A42E000-memory.dmp

Filesize
20KB

Download
memory/4292-277-0x000000000C422000-0x000000000C427000-memory.dmp

Filesize
20KB

Download
memory/4292-276-0x000000000C41D000-0x000000000C422000-memory.dmp

Filesize
20KB

Download
memory/4292-275-0x000000000C41A000-0x000000000C41D000-memory.dmp

Filesize
12KB

Download
memory/4292-274-0x000000000C417000-0x000000000C41A000-memory.dmp

Filesize
12KB

Download
memory/4292-252-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4292-272-0x000000000C410000-0x000000000C414000-memory.dmp

Filesize
16KB

Download
memory/4292-271-0x000000000A429000-0x000000000A42F000-memory.dmp

Filesize
24KB

Download
memory/4292-280-0x000000000C411000-0x000000000C416000-memory.dmp

Filesize
20KB

Download
memory/4292-269-0x000000000A427000-0x000000000A428000-memory.dmp

Filesize
4KB

Download
memory/4292-267-0x000000000A428000-0x000000000A429000-memory.dmp

Filesize
4KB

Download
memory/4292-266-0x000000000A425000-0x000000000A426000-memory.dmp

Filesize
4KB

Download
memory/4292-265-0x000000000A423000-0x000000000A425000-memory.dmp

Filesize
8KB

Download
memory/4440-284-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4460-456-0x0000000000000000-mapping.dmp

Download
memory/4548-189-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-50-0x000000000BAF7000-0x000000000BAFA000-memory.dmp

Filesize
12KB

Download
memory/4548-170-0x0000000009A2D000-0x0000000009A2E000-memory.dmp

Filesize
4KB

Download
memory/4548-171-0x000000000BAF8000-0x000000000BAFD000-memory.dmp

Filesize
20KB

Download
memory/4548-172-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-174-0x000000000BAF8000-0x000000000BB00000-memory.dmp

Filesize
32KB

Download
memory/4548-173-0x000000000BAFA000-0x000000000BAFD000-memory.dmp

Filesize
12KB

Download
memory/4548-175-0x000000000BAF3000-0x000000000BAF7000-memory.dmp

Filesize
16KB

Download
memory/4548-176-0x000000000BB02000-0x000000000BB06000-memory.dmp

Filesize
16KB

Download
memory/4548-177-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-178-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-180-0x000000000BB02000-0x000000000BB08000-memory.dmp

Filesize
24KB

Download
memory/4548-181-0x000000000BB06000-0x000000000BB09000-memory.dmp

Filesize
12KB

Download
memory/4548-179-0x000000000BB06000-0x000000000BB07000-memory.dmp

Filesize
4KB

Download
memory/4548-182-0x000000000BAF3000-0x000000000BAF8000-memory.dmp

Filesize
20KB

Download
memory/4548-183-0x000000000BAF7000-0x000000000BAFB000-memory.dmp

Filesize
16KB

Download
memory/4548-184-0x000000000BAF3000-0x000000000BAF4000-memory.dmp

Filesize
4KB

Download
memory/4548-185-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-186-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-187-0x000000000BB06000-0x000000000BB09000-memory.dmp

Filesize
12KB

Download
memory/4548-188-0x000000000BAF7000-0x000000000BB00000-memory.dmp

Filesize
36KB

Download
memory/4548-28-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4548-190-0x000000000BAFE000-0x000000000BB00000-memory.dmp

Filesize
8KB

Download
memory/4548-191-0x0000000009A2B000-0x0000000009A2C000-memory.dmp

Filesize
4KB

Download
memory/4548-192-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-193-0x000000000BAF3000-0x000000000BAF8000-memory.dmp

Filesize
20KB

Download
memory/4548-194-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-195-0x000000000BB06000-0x000000000BB09000-memory.dmp

Filesize
12KB

Download
memory/4548-196-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-197-0x000000000BAF5000-0x000000000BB00000-memory.dmp

Filesize
44KB

Download
memory/4548-198-0x000000000BAFA000-0x000000000BAFB000-memory.dmp

Filesize
4KB

Download
memory/4548-199-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-200-0x000000000BAFC000-0x000000000BB00000-memory.dmp

Filesize
16KB

Download
memory/4548-201-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-202-0x000000000BB06000-0x000000000BB09000-memory.dmp

Filesize
12KB

Download
memory/4548-203-0x000000000BAF3000-0x000000000BAF8000-memory.dmp

Filesize
20KB

Download
memory/4548-204-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-32-0x0000000009BE0000-0x0000000009BE1000-memory.dmp

Filesize
4KB

Download
memory/4548-208-0x0000000009A2B000-0x0000000009A2D000-memory.dmp

Filesize
8KB

Download
memory/4548-160-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-159-0x000000000BB02000-0x000000000BB07000-memory.dmp

Filesize
20KB

Download
memory/4548-158-0x000000000BB05000-0x000000000BB07000-memory.dmp

Filesize
8KB

Download
memory/4548-157-0x000000000BB02000-0x000000000BB05000-memory.dmp

Filesize
12KB

Download
memory/4548-155-0x000000000BAFE000-0x000000000BB00000-memory.dmp

Filesize
8KB

Download
memory/4548-153-0x000000000BB08000-0x000000000BB09000-memory.dmp

Filesize
4KB

Download
memory/4548-152-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-151-0x000000000BAF8000-0x000000000BAFA000-memory.dmp

Filesize
8KB

Download
memory/4548-150-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-149-0x000000000BAF9000-0x000000000BB00000-memory.dmp

Filesize
28KB

Download
memory/4548-148-0x000000000BAF9000-0x000000000BAFB000-memory.dmp

Filesize
8KB

Download
memory/4548-147-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-145-0x000000000BB02000-0x000000000BB04000-memory.dmp

Filesize
8KB

Download
memory/4548-144-0x000000000BB02000-0x000000000BB03000-memory.dmp

Filesize
4KB

Download
memory/4548-142-0x000000000BB08000-0x000000000BB09000-memory.dmp

Filesize
4KB

Download
memory/4548-139-0x000000000BB02000-0x000000000BB09000-memory.dmp

Filesize
28KB

Download
memory/4548-138-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-136-0x000000000BAFA000-0x000000000BB00000-memory.dmp

Filesize
24KB

Download
memory/4548-135-0x000000000BB02000-0x000000000BB06000-memory.dmp

Filesize
16KB

Download
memory/4548-132-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-133-0x000000000BB06000-0x000000000BB09000-memory.dmp

Filesize
12KB

Download
memory/4548-130-0x0000000009A2B000-0x0000000009A2D000-memory.dmp

Filesize
8KB

Download
memory/4548-129-0x000000000BAF8000-0x000000000BAFA000-memory.dmp

Filesize
8KB

Download
memory/4548-128-0x000000000BAF8000-0x000000000BAF9000-memory.dmp

Filesize
4KB

Download
memory/4548-125-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-124-0x000000000BB03000-0x000000000BB09000-memory.dmp

Filesize
24KB

Download
memory/4548-122-0x000000000BAF9000-0x000000000BB00000-memory.dmp

Filesize
28KB

Download
memory/4548-120-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-119-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-114-0x000000000BAF7000-0x000000000BAFC000-memory.dmp

Filesize
20KB

Download
memory/4548-113-0x000000000BB02000-0x000000000BB09000-memory.dmp

Filesize
28KB

Download
memory/4548-112-0x000000000BB03000-0x000000000BB07000-memory.dmp

Filesize
16KB

Download
memory/4548-110-0x0000000009A2B000-0x0000000009A2E000-memory.dmp

Filesize
12KB

Download
memory/4548-109-0x0000000009A2A000-0x0000000009A2C000-memory.dmp

Filesize
8KB

Download
memory/4548-108-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-107-0x000000000BAF1000-0x000000000BAFC000-memory.dmp

Filesize
44KB

Download
memory/4548-106-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-104-0x000000000BB02000-0x000000000BB09000-memory.dmp

Filesize
28KB

Download
memory/4548-101-0x000000000BB02000-0x000000000BB05000-memory.dmp

Filesize
12KB

Download
memory/4548-85-0x0000000009A2A000-0x0000000009A2E000-memory.dmp

Filesize
16KB

Download
memory/4548-81-0x0000000009A25000-0x0000000009A26000-memory.dmp

Filesize
4KB

Download
memory/4548-80-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/4548-79-0x0000000005B20000-0x0000000005B4D000-memory.dmp

Filesize
180KB

Download
memory/4548-78-0x0000000005980000-0x0000000005AF1000-memory.dmp

Filesize
1.4MB

Download
memory/4548-77-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4548-76-0x000000000BAF3000-0x000000000BAFC000-memory.dmp

Filesize
36KB

Download
memory/4548-75-0x000000000BB04000-0x000000000BB09000-memory.dmp

Filesize
20KB

Download
memory/4548-74-0x0000000009A2A000-0x0000000009A2C000-memory.dmp

Filesize
8KB

Download
memory/4548-73-0x0000000009A2C000-0x0000000009A2E000-memory.dmp

Filesize
8KB

Download
memory/4548-33-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/4548-37-0x0000000009A20000-0x0000000009A21000-memory.dmp

Filesize
4KB

Download
memory/4548-42-0x0000000009A29000-0x0000000009A2F000-memory.dmp

Filesize
24KB

Download
memory/4548-41-0x000000000B4A0000-0x000000000B4A1000-memory.dmp

Filesize
4KB

Download
memory/4548-39-0x0000000009A23000-0x0000000009A25000-memory.dmp

Filesize
8KB

Download
memory/4548-44-0x0000000009A26000-0x0000000009A27000-memory.dmp

Filesize
4KB

Download
memory/4548-43-0x0000000009A25000-0x0000000009A26000-memory.dmp

Filesize
4KB

Download
memory/4548-45-0x0000000009A27000-0x0000000009A28000-memory.dmp

Filesize
4KB

Download
memory/4548-46-0x0000000009A28000-0x0000000009A29000-memory.dmp

Filesize
4KB

Download
memory/4548-48-0x000000000BAF0000-0x000000000BAF4000-memory.dmp

Filesize
16KB

Download
memory/4548-49-0x000000000BAF4000-0x000000000BAF7000-memory.dmp

Filesize
12KB

Download
memory/4548-169-0x000000000BB08000-0x000000000BB09000-memory.dmp

Filesize
4KB

Download
memory/4548-51-0x000000000BAFA000-0x000000000BAFF000-memory.dmp

Filesize
20KB

Download
memory/4548-52-0x000000000BAFF000-0x000000000BB04000-memory.dmp

Filesize
20KB

Download
memory/4548-53-0x0000000009A2D000-0x0000000009A2E000-memory.dmp

Filesize
4KB

Download
memory/4548-54-0x000000000BB01000-0x000000000BB03000-memory.dmp

Filesize
8KB

Download
memory/4548-55-0x000000000BAF1000-0x000000000BAF8000-memory.dmp

Filesize
28KB

Download
memory/4548-56-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-57-0x0000000009A2A000-0x0000000009A2E000-memory.dmp

Filesize
16KB

Download
memory/4548-58-0x000000000BAF7000-0x000000000BAF8000-memory.dmp

Filesize
4KB

Download
memory/4548-59-0x000000000BAF7000-0x000000000BB03000-memory.dmp

Filesize
48KB

Download
memory/4548-60-0x0000000009A25000-0x0000000009A26000-memory.dmp

Filesize
4KB

Download
memory/4548-61-0x000000000BAF1000-0x000000000BAF2000-memory.dmp

Filesize
4KB

Download
memory/4548-62-0x000000000BAFD000-0x000000000BB03000-memory.dmp

Filesize
24KB

Download
memory/4548-64-0x000000000BAF7000-0x000000000BAFC000-memory.dmp

Filesize
20KB

Download
memory/4548-63-0x0000000009A2A000-0x0000000009A2E000-memory.dmp

Filesize
16KB

Download
memory/4548-72-0x0000000009A25000-0x0000000009A26000-memory.dmp

Filesize
4KB

Download
memory/4548-71-0x000000000BAF1000-0x000000000BAFC000-memory.dmp

Filesize
44KB

Download
memory/4548-69-0x000000000BB01000-0x000000000BB03000-memory.dmp

Filesize
8KB

Download
memory/4548-70-0x000000000BB01000-0x000000000BB09000-memory.dmp

Filesize
32KB

Download
memory/4548-68-0x0000000009A2A000-0x0000000009A2E000-memory.dmp

Filesize
16KB

Download
memory/4548-67-0x0000000009A25000-0x0000000009A26000-memory.dmp

Filesize
4KB

Download
memory/4548-66-0x000000000BB07000-0x000000000BB0A000-memory.dmp

Filesize
12KB

Download
memory/4548-65-0x000000000BB04000-0x000000000BB07000-memory.dmp

Filesize
12KB

Download
memory/4584-205-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/4624-312-0x000000000BE4F000-0x000000000BE54000-memory.dmp

Filesize
20KB

Download
memory/4624-322-0x000000000BE4B000-0x000000000BE58000-memory.dmp

Filesize
52KB

Download
memory/4624-311-0x000000000BE4A000-0x000000000BE4F000-memory.dmp

Filesize
20KB

Download
memory/4624-310-0x000000000BE47000-0x000000000BE4A000-memory.dmp

Filesize
12KB

Download
memory/4624-321-0x000000000BE41000-0x000000000BE46000-memory.dmp

Filesize
20KB

Download
memory/4624-318-0x0000000003635000-0x0000000003636000-memory.dmp

Filesize
4KB

Download
memory/4624-319-0x0000000003637000-0x0000000003638000-memory.dmp

Filesize
4KB

Download
memory/4624-317-0x000000000BE47000-0x000000000BE50000-memory.dmp

Filesize
36KB

Download
memory/4624-316-0x000000000BE55000-0x000000000BE58000-memory.dmp

Filesize
12KB

Download
memory/4624-314-0x0000000003635000-0x0000000003636000-memory.dmp

Filesize
4KB

Download
memory/4624-315-0x000000000BE41000-0x000000000BE44000-memory.dmp

Filesize
12KB

Download
memory/4624-303-0x0000000003636000-0x0000000003637000-memory.dmp

Filesize
4KB

Download
memory/4624-302-0x0000000003635000-0x0000000003636000-memory.dmp

Filesize
4KB

Download
memory/4624-324-0x000000000BE55000-0x000000000BE58000-memory.dmp

Filesize
12KB

Download
memory/4624-320-0x000000000363C000-0x000000000363E000-memory.dmp

Filesize
8KB

Download
memory/4624-309-0x000000000BE44000-0x000000000BE47000-memory.dmp

Filesize
12KB

Download
memory/4624-308-0x000000000BE40000-0x000000000BE44000-memory.dmp

Filesize
16KB

Download
memory/4624-306-0x0000000003639000-0x000000000363F000-memory.dmp

Filesize
24KB

Download
memory/4624-304-0x0000000003637000-0x0000000003638000-memory.dmp

Filesize
4KB

Download
memory/4624-305-0x0000000003638000-0x0000000003639000-memory.dmp

Filesize
4KB

Download
memory/4624-325-0x000000000BE41000-0x000000000BE48000-memory.dmp

Filesize
28KB

Download
memory/4624-323-0x000000000363C000-0x000000000363E000-memory.dmp

Filesize
8KB

Download
memory/4624-288-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4624-299-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/4624-301-0x0000000003633000-0x0000000003635000-memory.dmp

Filesize
8KB

Download
memory/4624-313-0x000000000BE54000-0x000000000BE59000-memory.dmp

Filesize
20KB

Download
memory/4764-18-0x000000000B890000-0x000000000B891000-memory.dmp

Filesize
4KB

Download
memory/4764-11-0x0000000009F40000-0x0000000009F41000-memory.dmp

Filesize
4KB

Download
memory/4764-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4764-5-0x0000000009D50000-0x0000000009EF7000-memory.dmp

Filesize
1.7MB

Download
memory/4764-6-0x0000000009F50000-0x0000000009F51000-memory.dmp

Filesize
4KB

Download
memory/4764-7-0x000000000A2A0000-0x000000000A2A1000-memory.dmp

Filesize
4KB

Download
memory/4764-8-0x000000000A7F0000-0x000000000A7F1000-memory.dmp

Filesize
4KB

Download
memory/4764-9-0x000000000A390000-0x000000000A391000-memory.dmp

Filesize
4KB

Download
memory/4764-10-0x000000000A360000-0x000000000A381000-memory.dmp

Filesize
132KB

Download
memory/4764-13-0x0000000009F43000-0x0000000009F45000-memory.dmp

Filesize
8KB

Download
memory/4764-12-0x0000000009F47000-0x0000000009F48000-memory.dmp

Filesize
4KB

Download
memory/4764-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4764-27-0x000000000B917000-0x000000000B91A000-memory.dmp

Filesize
12KB

Download
memory/4764-23-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4764-22-0x000000000B910000-0x000000000B914000-memory.dmp

Filesize
16KB

Download
memory/4764-21-0x000000000B914000-0x000000000B917000-memory.dmp

Filesize
12KB

Download
memory/4764-20-0x0000000009F49000-0x0000000009F4F000-memory.dmp

Filesize
24KB

Download
memory/4764-19-0x0000000009F48000-0x0000000009F49000-memory.dmp

Filesize
4KB

Download
memory/4764-14-0x0000000009F45000-0x0000000009F46000-memory.dmp

Filesize
4KB

Download
memory/4764-17-0x000000000B8D0000-0x000000000B8D1000-memory.dmp

Filesize
4KB

Download
memory/4764-16-0x000000000B820000-0x000000000B888000-memory.dmp

Filesize
416KB

Download
memory/4764-15-0x0000000009F46000-0x0000000009F47000-memory.dmp

Filesize
4KB

Download
memory/4940-389-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4940-398-0x0000000009F30000-0x0000000009F31000-memory.dmp

Filesize
4KB

Download
memory/4940-399-0x0000000009F37000-0x0000000009F38000-memory.dmp

Filesize
4KB

Download
memory/4940-408-0x0000000009F39000-0x0000000009F3F000-memory.dmp

Filesize
24KB

Download
memory/4940-400-0x0000000009F33000-0x0000000009F35000-memory.dmp

Filesize
8KB

Download
memory/4940-402-0x0000000009F38000-0x0000000009F39000-memory.dmp

Filesize
4KB

Download
memory/4940-406-0x0000000009F36000-0x0000000009F37000-memory.dmp

Filesize
4KB

Download
memory/4940-414-0x000000000BBB7000-0x000000000BBBA000-memory.dmp

Filesize
12KB

Download
memory/4940-405-0x0000000009F35000-0x0000000009F36000-memory.dmp

Filesize
4KB

Download
memory/4940-410-0x000000000BBB4000-0x000000000BBB7000-memory.dmp

Filesize
12KB

Download
memory/4940-409-0x000000000BBB0000-0x000000000BBB4000-memory.dmp

Filesize
16KB

Download