7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
Size

437KB
MD5

d305c00acc4cd962dfd2ab69c3d9fbda
SHA1

adf57e2f7555badf5467c127e138de49a58cfb2b
SHA256

7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d
SHA512

a8eb88507e124fa66fa1cb420e69c86b45f584f8f55281d25d9daf3b33017e06effcf5ea17421b6990d48107617cc0cd2dc3eda6786128b5f68efe808d6ecc01
SSDEEP

6144:FCOoWSuTpRMgDtvAP+2PqdAdeF54hFNE9cZQ5XR7nyHOshfXR7nyHOsh:FyuTpRJvAP7ydAdeohxQ5ByusdByus

Score

8^/10

microsoft evasion persistence phishing

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

WORM.EXE.EXEZXZ.EXEsvchost.exe

pid process

4956 WORM.EXE.EXE
5012 ZXZ.EXE
3644 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3004 netsh.exe

pid	process
4956	WORM.EXE.EXE
5012	ZXZ.EXE
3644	svchost.exe

pid	process
3004	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exeZXZ.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ZXZ.EXE

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6daa3bb0-01c5-494b-b67e-30611e771210.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221201170728.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

svchost.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3644	svchost.exe
3164	msedge.exe
3164	msedge.exe
3272	msedge.exe
3272	msedge.exe
4368	msedge.exe
4368	msedge.exe
1336	identity_helper.exe
1336	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4368 msedge.exe
4368 msedge.exe
4368 msedge.exe
4368 msedge.exe
4368 msedge.exe
4368 msedge.exe
4368 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 3644 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4368 msedge.exe
4368 msedge.exe

pid	process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

description	pid	process
Token: SeDebugPrivilege	3644	svchost.exe

pid	process
4368	msedge.exe
4368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exeZXZ.EXEsvchost.exeWORM.EXE.EXEmsedge.exemsedge.exe

description	pid	process	target process
PID 4284 wrote to memory of 4956	4284	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe	WORM.EXE.EXE
PID 4284 wrote to memory of 4956	4284	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe	WORM.EXE.EXE
PID 4284 wrote to memory of 4956	4284	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe	WORM.EXE.EXE
PID 4284 wrote to memory of 5012	4284	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe	ZXZ.EXE
PID 4284 wrote to memory of 5012	4284	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe	ZXZ.EXE
PID 4284 wrote to memory of 5012	4284	7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe	ZXZ.EXE
PID 5012 wrote to memory of 3644	5012	ZXZ.EXE	svchost.exe
PID 5012 wrote to memory of 3644	5012	ZXZ.EXE	svchost.exe
PID 5012 wrote to memory of 3644	5012	ZXZ.EXE	svchost.exe
PID 3644 wrote to memory of 3004	3644	svchost.exe	netsh.exe
PID 3644 wrote to memory of 3004	3644	svchost.exe	netsh.exe
PID 3644 wrote to memory of 3004	3644	svchost.exe	netsh.exe
PID 4956 wrote to memory of 920	4956	WORM.EXE.EXE	msedge.exe
PID 4956 wrote to memory of 920	4956	WORM.EXE.EXE	msedge.exe
PID 4956 wrote to memory of 4368	4956	WORM.EXE.EXE	msedge.exe
PID 4956 wrote to memory of 4368	4956	WORM.EXE.EXE	msedge.exe
PID 4368 wrote to memory of 4776	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 4776	4368	msedge.exe	msedge.exe
PID 920 wrote to memory of 3140	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3140	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4300	920	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe
PID 4368 wrote to memory of 1852	4368	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
"C:\Users\Admin\AppData\Local\Temp\7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
"C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WORM.EXE.EXE&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ff87f6646f8,0x7ff87f664708,0x7ff87f664718
4⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5062575004467259363,7111997554354215495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
4⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5062575004467259363,7111997554354215495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WORM.EXE.EXE&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87f6646f8,0x7ff87f664708,0x7ff87f664718
4⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
4⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2808 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
4⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
4⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
4⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
4⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 /prefetch:8
4⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
4⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
4⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5920 /prefetch:8
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
4⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
4⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
4⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff747bf5460,0x7ff747bf5470,0x7ff747bf5480
5⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:8
4⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
4⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE
"C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
d1287b882680d426851631f5cc6f98d8

SHA1
6182ed7f6b85ad3fdf2de7d50f78802aea537753

SHA256
4afcd48438f2bc14b1f22635e5ad8f9b5519de90fb04af02ad6ab017a505a4f0

SHA512
12817b72604ae58c4a33f4eb43c00554938a25df605c674f9d53c50d1d386555b6324906b99ec6a46a086853ee9c10acfefd85722dedb732f5e31ac6e93c797a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
3121a89c589b43806469c733a1d6fbb1

SHA1
af970955ec34de61958a2b1e0bf271d440b514d1

SHA256
c57070af2586a5fa446a93cde9c596e9cea16c136c803b4eb920d70da56b5e45

SHA512
b02b94cc6438ccab4267eca60f66a63da970761c74f04e46541d5eb84c9f98fcff54aa8448b8d6862a588f58fcecc904104aef9b6c7fee050ab87383ad688c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
412B

MD5
04b7b77baecddeee900195955309667d

SHA1
cbe1ad5b213b57a33baf39991c047df400110f0c

SHA256
b761b073cdec59bd75ee7b4296694ed3aff509040e849188e4a341a392bf121d

SHA512
60b807361baf2037fb80c1514f7f72b93eaac8c6dd475ec8bbfb83edbc3eaedc1481b43d320d10e76b74f91c2567ede79c6e325b1746b96a6ef3cae3c251c7d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
99a9999cdae3926cabdb82d6f1e512b5

SHA1
b5ce6854db5b45239a3b74c220cba393bc1775e5

SHA256
a71c8b61ea311ebc75ae69f0411c93c9c11f3b1d159912c9c2c3f2b298d9e2e9

SHA512
fbf64f259d7aa120e420ca8b434a1f889824327d4b71f6761590bf425c89e0d3cea4cffc155847721ae32bf138fb272e6978985a3cc963d3e29ba43f61bc546e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
99a9999cdae3926cabdb82d6f1e512b5

SHA1
b5ce6854db5b45239a3b74c220cba393bc1775e5

SHA256
a71c8b61ea311ebc75ae69f0411c93c9c11f3b1d159912c9c2c3f2b298d9e2e9

SHA512
fbf64f259d7aa120e420ca8b434a1f889824327d4b71f6761590bf425c89e0d3cea4cffc155847721ae32bf138fb272e6978985a3cc963d3e29ba43f61bc546e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
99a9999cdae3926cabdb82d6f1e512b5

SHA1
b5ce6854db5b45239a3b74c220cba393bc1775e5

SHA256
a71c8b61ea311ebc75ae69f0411c93c9c11f3b1d159912c9c2c3f2b298d9e2e9

SHA512
fbf64f259d7aa120e420ca8b434a1f889824327d4b71f6761590bf425c89e0d3cea4cffc155847721ae32bf138fb272e6978985a3cc963d3e29ba43f61bc546e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\old_GPUCache_000\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
632aacef3e454ec69047d88130c397d9

SHA1
186722cad4d7d2beaf7f4e1a0a82cdcdd1833dfc

SHA256
df54d327d38b86b8b614f97d0941c66f16ff89633c14845a8f2deb38966562b7

SHA512
708639b5ee7f0cf4ec2a1709dc93e9d90891e9c00a4ff291e31ef0a680f5cfa8c44158c2f27bf6a75d2043fc9a31037bcecb23428f1d6dc573f4f89a9d6252d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
7db6359a730fea73adafe1ebb3bf88a0

SHA1
60a80dad1d551bfca99e6445484690bbea4cb471

SHA256
d3c9f4f810cfc4fce7990b68bae524320bf9600b017ce84fb2673e0b53dbd1af

SHA512
7d5b9beee44cfd2e2039ab0e863885963600d7c0ed22c7cdd24054f02e85f1dd5898766c53b462df344cb2982a41c0a2c14ab9fd120f8036e95902f256cb0830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638055039137925133
Filesize
3KB

MD5
5125353cf2c40e6c689b2607ba5f0331

SHA1
8d6fa6678ac8698a1025d20a9d23e45637dba661

SHA256
66ffcb91ed367b5a5ad5cc580060de181bff23d4373ac2ea8d9439452abe9d6c

SHA512
2b947584c5e4c96d88a03b4e67443e95128975f333c840a8cbce75f56bdc710ba4d5f69bd9bec0ec55bd17891456c1c4b4986736c457e2d7dcafb9f2b678c8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
Filesize
224KB

MD5
c32a647e5267d256d848afeef2fec541

SHA1
7804edc0904f221bc775245956132044a45ae3f4

SHA256
f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3

SHA512
24dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362

Download Submit
C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
Filesize
224KB

MD5
c32a647e5267d256d848afeef2fec541

SHA1
7804edc0904f221bc775245956132044a45ae3f4

SHA256
f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3

SHA512
24dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE
Filesize
129KB

MD5
6d016b4211d51618831cff6d5a142783

SHA1
b98898da9e032320a3e38541d5f54de6bd34cbfa

SHA256
607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

SHA512
c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE
Filesize
129KB

MD5
6d016b4211d51618831cff6d5a142783

SHA1
b98898da9e032320a3e38541d5f54de6bd34cbfa

SHA256
607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

SHA512
c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
129KB

MD5
6d016b4211d51618831cff6d5a142783

SHA1
b98898da9e032320a3e38541d5f54de6bd34cbfa

SHA256
607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

SHA512
c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
129KB

MD5
6d016b4211d51618831cff6d5a142783

SHA1
b98898da9e032320a3e38541d5f54de6bd34cbfa

SHA256
607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

SHA512
c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

Download Submit
\??\pipe\LOCAL\crashpad_4368_IMFXNSEHEXOXQEHD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_920_XKZEISJSSEXEULYR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/688-187-0x0000000000000000-mapping.dmp

Download
memory/716-205-0x0000000000000000-mapping.dmp

Download
memory/716-201-0x0000000000000000-mapping.dmp

Download
memory/920-147-0x0000000000000000-mapping.dmp

Download
memory/1336-203-0x0000000000000000-mapping.dmp

Download
memory/1804-189-0x0000000000000000-mapping.dmp

Download
memory/1852-157-0x0000000000000000-mapping.dmp

Download
memory/3004-144-0x0000000000000000-mapping.dmp

Download
memory/3140-151-0x0000000000000000-mapping.dmp

Download
memory/3164-162-0x0000000000000000-mapping.dmp

Download
memory/3272-164-0x0000000000000000-mapping.dmp

Download
memory/3508-199-0x0000000000000000-mapping.dmp

Download
memory/3644-146-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3644-145-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3644-140-0x0000000000000000-mapping.dmp

Download
memory/3784-197-0x0000000000000000-mapping.dmp

Download
memory/4140-202-0x0000000000000000-mapping.dmp

Download
memory/4192-183-0x0000000000000000-mapping.dmp

Download
memory/4300-158-0x0000000000000000-mapping.dmp

Download
memory/4340-191-0x0000000000000000-mapping.dmp

Download
memory/4348-179-0x0000000000000000-mapping.dmp

Download
memory/4368-148-0x0000000000000000-mapping.dmp

Download
memory/4456-207-0x0000000000000000-mapping.dmp

Download
memory/4592-195-0x0000000000000000-mapping.dmp

Download
memory/4776-150-0x0000000000000000-mapping.dmp

Download
memory/4780-193-0x0000000000000000-mapping.dmp

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download
memory/4956-138-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4956-149-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4960-185-0x0000000000000000-mapping.dmp

Download
memory/5012-135-0x0000000000000000-mapping.dmp

Download
memory/5012-139-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/5012-143-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download