Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2023 22:26
Static task
static1
Behavioral task
behavioral1
Sample
0eae001edceff3bc23cadaae071dfc32.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0eae001edceff3bc23cadaae071dfc32.exe
Resource
win10v2004-20220812-en
General
-
Target
0eae001edceff3bc23cadaae071dfc32.exe
-
Size
206KB
-
MD5
0eae001edceff3bc23cadaae071dfc32
-
SHA1
5d387a67ba534fd143eaea2730ad0a15e020e7e4
-
SHA256
41b4cc711899e88e5a7ddc2977d9f817f230e4186841a0d26bd66f26281562b6
-
SHA512
d6ffbacae4a9c0e0d448bad7686e7418e4e19cc77eaff39c55a02b3f7d3ce264f290dd55231281439e98e935b7f08a20ad10686a52a210c094c791f92811ee7f
-
SSDEEP
6144:i7ziNNyACm+SVpiHIu8v/1Z94630C8Ot1:+zD1m+SPiH58vdZ9J3Pt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3516-136-0x00000000007C0000-0x00000000007C9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
resource yara_rule behavioral2/memory/5264-275-0x0000000000400000-0x000000000052A000-memory.dmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
443E.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 443E.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
443E.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 443E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 443E.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8522.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8522.exe -
Executes dropped EXE 7 IoCs
Processes:
223D.exe443E.exe51FA.exe7D22.exe8522.exe8A05.exe8522.exepid process 1488 223D.exe 4916 443E.exe 4764 51FA.exe 4644 7D22.exe 4556 8522.exe 3180 8A05.exe 5264 8522.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4916-191-0x0000000000A20000-0x0000000001254000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\443E.exe themida C:\Users\Admin\AppData\Local\Temp\443E.exe themida behavioral2/memory/4916-191-0x0000000000A20000-0x0000000001254000-memory.dmp themida -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
443E.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 443E.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
51FA.exe8522.exedescription pid process target process PID 4764 set thread context of 1160 4764 51FA.exe vbc.exe PID 4556 set thread context of 5264 4556 8522.exe 8522.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\460e99df-6d4f-4357-8f38-03ad8c169393.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230217232715.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4860 4764 WerFault.exe 51FA.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0eae001edceff3bc23cadaae071dfc32.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0eae001edceff3bc23cadaae071dfc32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0eae001edceff3bc23cadaae071dfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0eae001edceff3bc23cadaae071dfc32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
7D22.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityModeType = "844788910" 7D22.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0eae001edceff3bc23cadaae071dfc32.exepid process 3516 0eae001edceff3bc23cadaae071dfc32.exe 3516 0eae001edceff3bc23cadaae071dfc32.exe 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 2596 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2596 -
Suspicious behavior: MapViewOfSection 37 IoCs
Processes:
0eae001edceff3bc23cadaae071dfc32.exeexplorer.exepid process 3516 0eae001edceff3bc23cadaae071dfc32.exe 2596 2596 2596 2596 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2596 2596 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2596 2596 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2596 2596 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2596 2596 2304 explorer.exe 2304 explorer.exe 2596 2596 2596 2596 2596 2596 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2320 msedge.exe 2320 msedge.exe 2320 msedge.exe 2320 msedge.exe 2320 msedge.exe 2320 msedge.exe 2320 msedge.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
vbc.exepowershell.exe8522.exe8522.exedescription pid process Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeDebugPrivilege 1160 vbc.exe Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeDebugPrivilege 4816 powershell.exe Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeShutdownPrivilege 2596 Token: SeCreatePagefilePrivilege 2596 Token: SeDebugPrivilege 4556 8522.exe Token: SeDebugPrivilege 5264 8522.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
msedge.exepid process 2320 msedge.exe 2596 2596 2320 msedge.exe 2596 2320 msedge.exe 2596 2596 -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7D22.exepid process 4644 7D22.exe 4644 7D22.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
443E.exemsedge.exe51FA.exedescription pid process target process PID 2596 wrote to memory of 1488 2596 223D.exe PID 2596 wrote to memory of 1488 2596 223D.exe PID 2596 wrote to memory of 4916 2596 443E.exe PID 2596 wrote to memory of 4916 2596 443E.exe PID 2596 wrote to memory of 4916 2596 443E.exe PID 2596 wrote to memory of 4764 2596 51FA.exe PID 2596 wrote to memory of 4764 2596 51FA.exe PID 2596 wrote to memory of 4764 2596 51FA.exe PID 4916 wrote to memory of 2320 4916 443E.exe msedge.exe PID 4916 wrote to memory of 2320 4916 443E.exe msedge.exe PID 2320 wrote to memory of 1076 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 1076 2320 msedge.exe msedge.exe PID 4764 wrote to memory of 1160 4764 51FA.exe vbc.exe PID 4764 wrote to memory of 1160 4764 51FA.exe vbc.exe PID 4764 wrote to memory of 1160 4764 51FA.exe vbc.exe PID 4764 wrote to memory of 1160 4764 51FA.exe vbc.exe PID 4764 wrote to memory of 1160 4764 51FA.exe vbc.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4108 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2652 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2652 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4740 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4740 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4740 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4740 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 4740 2320 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eae001edceff3bc23cadaae071dfc32.exe"C:\Users\Admin\AppData\Local\Temp\0eae001edceff3bc23cadaae071dfc32.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\223D.exeC:\Users\Admin\AppData\Local\Temp\223D.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\443E.exeC:\Users\Admin\AppData\Local\Temp\443E.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=443E.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x40,0xdc,0x100,0x9c,0x104,0x7ffb3dd946f8,0x7ffb3dd94708,0x7ffb3dd947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5488 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7bdf15460,0x7ff7bdf15470,0x7ff7bdf154804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1116 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1820 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=443E.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffb3dd946f8,0x7ffb3dd94708,0x7ffb3dd947183⤵
-
C:\Users\Admin\AppData\Local\Temp\51FA.exeC:\Users\Admin\AppData\Local\Temp\51FA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 2482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 47641⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\7D22.exeC:\Users\Admin\AppData\Local\Temp\7D22.exe1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8522.exeC:\Users\Admin\AppData\Local\Temp\8522.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8522.exeC:\Users\Admin\AppData\Local\Temp\8522.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8A05.exeC:\Users\Admin\AppData\Local\Temp\8A05.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8522.exe.logFilesize
1KB
MD59e39b702ddcbdc603ad47b9d318dce62
SHA131709fbc20df043f4699fc3b288ce9bccd666b94
SHA256b91057818a6617ee8e0c725d144403d30226b04d8181fed08cf0e5d634ee6388
SHA512bab6b606b18f68e775d5a4fc2033adb1f228f66fe7103fe49a58dc7349227769df14d53b665615c7a9fb0cf2bbf679d5aa1ff2e97b0200d0a3603f8aebb9f533
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c671a6a3920cf5a5a7b5641546564b1
SHA1a32dc7eb5fbcabfd80bd3cc83feb61cb439f3049
SHA25688d8dd693b6f739068b9aff5c6cc8b036af8cd00f0f4df07fe339393045ec417
SHA51210f63235b9b1d7bc0935ad1fbfd1dcf3d3fb25adba141d951f4fb99f1d01c870de7ed34cfc447598295fc8f051050e949f4eb663a435d3315f953a5896ef7c2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\223D.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\223D.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\443E.exeFilesize
3.0MB
MD54df973fc60804e9bc6a8051582351ee5
SHA14ddc2e8ef17773fe4b7a29ea8634ff92861cd647
SHA256bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1
SHA51286633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e
-
C:\Users\Admin\AppData\Local\Temp\443E.exeFilesize
3.0MB
MD54df973fc60804e9bc6a8051582351ee5
SHA14ddc2e8ef17773fe4b7a29ea8634ff92861cd647
SHA256bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1
SHA51286633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e
-
C:\Users\Admin\AppData\Local\Temp\51FA.exeFilesize
1.1MB
MD5b5cd4deb250cbeda544d8622d7ed90bf
SHA1d8f784eba044a176e935cd6bc9a97d346a810c98
SHA2568f4b3502e38100486b960ef7d7aea1c43ba2ba38f5d31439b1ae9324c3f43621
SHA5121a828445c797a4af0279eb2d0ba2e973b2768da5eeec6ebc42c104a1bf689268798380b8da2496757d7ee0e61f10cadadc7369fb5cb535d13260d7721562f2ae
-
C:\Users\Admin\AppData\Local\Temp\51FA.exeFilesize
1.1MB
MD5b5cd4deb250cbeda544d8622d7ed90bf
SHA1d8f784eba044a176e935cd6bc9a97d346a810c98
SHA2568f4b3502e38100486b960ef7d7aea1c43ba2ba38f5d31439b1ae9324c3f43621
SHA5121a828445c797a4af0279eb2d0ba2e973b2768da5eeec6ebc42c104a1bf689268798380b8da2496757d7ee0e61f10cadadc7369fb5cb535d13260d7721562f2ae
-
C:\Users\Admin\AppData\Local\Temp\7D22.exeFilesize
6.4MB
MD53e9adb4d8dbec6eddee3065caf5911f6
SHA131c7111c8044afdf5c6ddb1e55244acfd06229d3
SHA256215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5
SHA512b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9
-
C:\Users\Admin\AppData\Local\Temp\7D22.exeFilesize
6.4MB
MD53e9adb4d8dbec6eddee3065caf5911f6
SHA131c7111c8044afdf5c6ddb1e55244acfd06229d3
SHA256215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5
SHA512b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9
-
C:\Users\Admin\AppData\Local\Temp\8522.exeFilesize
1.5MB
MD5c8c05c344c028625e22fbf3f9b00a9a7
SHA1ab3b124bb475a411307a7b699e0f6cd1ad549051
SHA2565be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747
SHA512c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf
-
C:\Users\Admin\AppData\Local\Temp\8522.exeFilesize
1.5MB
MD5c8c05c344c028625e22fbf3f9b00a9a7
SHA1ab3b124bb475a411307a7b699e0f6cd1ad549051
SHA2565be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747
SHA512c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf
-
C:\Users\Admin\AppData\Local\Temp\8522.exeFilesize
1.5MB
MD5c8c05c344c028625e22fbf3f9b00a9a7
SHA1ab3b124bb475a411307a7b699e0f6cd1ad549051
SHA2565be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747
SHA512c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf
-
C:\Users\Admin\AppData\Local\Temp\8A05.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\8A05.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkFilesize
2KB
MD5b6320f82f954c7a77f059fdbc7454957
SHA1134ad78bb4532f81da570544928ea8088a10cbbb
SHA256f5a5e00a7e039ee6c4729cbbf40c7397fda007a401cc05d4716567d8fa09ed08
SHA512cd5d47c4a0f17fcae0b9c7476fcdc5b9de61237582f7f285951ee04330829f2fbb833560e4c8410c10d01fc3f87cce6a61932a75ab0550fef9c95c31c245558a
-
\??\pipe\LOCAL\crashpad_2320_CUPBNLKTOUBYSYPUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/112-185-0x0000000000000000-mapping.dmp
-
memory/220-182-0x0000000000000000-mapping.dmp
-
memory/1076-234-0x000001B359B20000-0x000001B359B2F000-memory.dmpFilesize
60KB
-
memory/1076-154-0x0000000000000000-mapping.dmp
-
memory/1160-176-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/1160-183-0x00000000064F0000-0x0000000006566000-memory.dmpFilesize
472KB
-
memory/1160-195-0x00000000071A0000-0x0000000007362000-memory.dmpFilesize
1.8MB
-
memory/1160-165-0x0000000005510000-0x000000000554C000-memory.dmpFilesize
240KB
-
memory/1160-196-0x00000000078A0000-0x0000000007DCC000-memory.dmpFilesize
5.2MB
-
memory/1160-187-0x00000000068B0000-0x0000000006900000-memory.dmpFilesize
320KB
-
memory/1160-186-0x0000000006490000-0x00000000064AE000-memory.dmpFilesize
120KB
-
memory/1160-161-0x0000000005AD0000-0x00000000060E8000-memory.dmpFilesize
6.1MB
-
memory/1160-155-0x0000000000000000-mapping.dmp
-
memory/1160-163-0x00000000055E0000-0x00000000056EA000-memory.dmpFilesize
1.0MB
-
memory/1160-179-0x00000000063D0000-0x0000000006462000-memory.dmpFilesize
584KB
-
memory/1160-180-0x0000000006A20000-0x0000000006FC4000-memory.dmpFilesize
5.6MB
-
memory/1160-162-0x00000000054B0000-0x00000000054C2000-memory.dmpFilesize
72KB
-
memory/1160-156-0x0000000001000000-0x0000000001044000-memory.dmpFilesize
272KB
-
memory/1292-175-0x0000000000000000-mapping.dmp
-
memory/1488-139-0x0000000000000000-mapping.dmp
-
memory/1488-142-0x0000000000820000-0x0000000000828000-memory.dmpFilesize
32KB
-
memory/1488-143-0x00007FFB3D1C0000-0x00007FFB3DC81000-memory.dmpFilesize
10.8MB
-
memory/1876-224-0x0000000000000000-mapping.dmp
-
memory/1876-252-0x0000027905080000-0x000002790508F000-memory.dmpFilesize
60KB
-
memory/1916-194-0x0000000000000000-mapping.dmp
-
memory/1916-250-0x000001B301E10000-0x000001B301E1F000-memory.dmpFilesize
60KB
-
memory/2024-245-0x0000000000000000-mapping.dmp
-
memory/2024-248-0x00000000003B0000-0x00000000003D2000-memory.dmpFilesize
136KB
-
memory/2024-249-0x0000000000380000-0x00000000003A7000-memory.dmpFilesize
156KB
-
memory/2024-269-0x00000000003B0000-0x00000000003D2000-memory.dmpFilesize
136KB
-
memory/2304-228-0x0000000000C80000-0x0000000000C89000-memory.dmpFilesize
36KB
-
memory/2304-229-0x00000000009F0000-0x00000000009FF000-memory.dmpFilesize
60KB
-
memory/2304-227-0x0000000000000000-mapping.dmp
-
memory/2304-266-0x0000000000C80000-0x0000000000C89000-memory.dmpFilesize
36KB
-
memory/2320-153-0x0000000000000000-mapping.dmp
-
memory/2320-230-0x0000024D24AF0000-0x0000024D24AFF000-memory.dmpFilesize
60KB
-
memory/2652-241-0x00000152D3E00000-0x00000152D3E0F000-memory.dmpFilesize
60KB
-
memory/2652-168-0x0000000000000000-mapping.dmp
-
memory/2960-190-0x0000000000000000-mapping.dmp
-
memory/3160-173-0x0000000000000000-mapping.dmp
-
memory/3160-247-0x000002AABF9F0000-0x000002AABF9FF000-memory.dmpFilesize
60KB
-
memory/3180-212-0x00007FFB3A140000-0x00007FFB3AC01000-memory.dmpFilesize
10.8MB
-
memory/3180-209-0x0000000000000000-mapping.dmp
-
memory/3504-238-0x0000000000000000-mapping.dmp
-
memory/3516-138-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/3516-135-0x00000000007FF000-0x0000000000812000-memory.dmpFilesize
76KB
-
memory/3516-137-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/3516-136-0x00000000007C0000-0x00000000007C9000-memory.dmpFilesize
36KB
-
memory/3968-240-0x0000000000000000-mapping.dmp
-
memory/4108-167-0x0000000000000000-mapping.dmp
-
memory/4108-237-0x0000020E1AF40000-0x0000020E1AF4F000-memory.dmpFilesize
60KB
-
memory/4200-218-0x0000000000760000-0x0000000000767000-memory.dmpFilesize
28KB
-
memory/4200-265-0x0000000000760000-0x0000000000767000-memory.dmpFilesize
28KB
-
memory/4200-216-0x0000000000000000-mapping.dmp
-
memory/4200-219-0x0000000000750000-0x000000000075B000-memory.dmpFilesize
44KB
-
memory/4224-254-0x0000000001280000-0x0000000001289000-memory.dmpFilesize
36KB
-
memory/4224-251-0x0000000000000000-mapping.dmp
-
memory/4224-253-0x0000000001290000-0x0000000001295000-memory.dmpFilesize
20KB
-
memory/4224-270-0x0000000001290000-0x0000000001295000-memory.dmpFilesize
20KB
-
memory/4488-226-0x0000000000000000-mapping.dmp
-
memory/4488-255-0x000001C78E9E0000-0x000001C78E9EF000-memory.dmpFilesize
60KB
-
memory/4556-204-0x0000000000000000-mapping.dmp
-
memory/4556-208-0x0000000005CA0000-0x0000000005CC2000-memory.dmpFilesize
136KB
-
memory/4556-207-0x0000000000D60000-0x0000000000EF0000-memory.dmpFilesize
1.6MB
-
memory/4640-198-0x0000000000000000-mapping.dmp
-
memory/4644-201-0x0000000000000000-mapping.dmp
-
memory/4692-258-0x0000000000AB0000-0x0000000000ABB000-memory.dmpFilesize
44KB
-
memory/4692-256-0x0000000000000000-mapping.dmp
-
memory/4692-257-0x0000000000AC0000-0x0000000000AC6000-memory.dmpFilesize
24KB
-
memory/4740-171-0x0000000000000000-mapping.dmp
-
memory/4740-244-0x000001B61F920000-0x000001B61F92F000-memory.dmpFilesize
60KB
-
memory/4764-164-0x0000000000870000-0x0000000000988000-memory.dmpFilesize
1.1MB
-
memory/4764-150-0x0000000000000000-mapping.dmp
-
memory/4764-221-0x0000000000000000-mapping.dmp
-
memory/4816-232-0x0000000007F30000-0x00000000085AA000-memory.dmpFilesize
6.5MB
-
memory/4816-222-0x00000000068D0000-0x00000000068EE000-memory.dmpFilesize
120KB
-
memory/4816-213-0x0000000000000000-mapping.dmp
-
memory/4816-233-0x0000000006DA0000-0x0000000006DBA000-memory.dmpFilesize
104KB
-
memory/4816-214-0x0000000002FA0000-0x0000000002FD6000-memory.dmpFilesize
216KB
-
memory/4816-215-0x0000000005A80000-0x00000000060A8000-memory.dmpFilesize
6.2MB
-
memory/4816-217-0x0000000006220000-0x0000000006286000-memory.dmpFilesize
408KB
-
memory/4880-268-0x0000000000FD0000-0x0000000000FD6000-memory.dmpFilesize
24KB
-
memory/4880-242-0x0000000000FD0000-0x0000000000FD6000-memory.dmpFilesize
24KB
-
memory/4880-189-0x0000000000000000-mapping.dmp
-
memory/4880-239-0x0000000000000000-mapping.dmp
-
memory/4880-243-0x0000000000FC0000-0x0000000000FCC000-memory.dmpFilesize
48KB
-
memory/4916-188-0x0000000000A20000-0x0000000001254000-memory.dmpFilesize
8.2MB
-
memory/4916-144-0x0000000000000000-mapping.dmp
-
memory/4916-149-0x0000000000A20000-0x0000000001254000-memory.dmpFilesize
8.2MB
-
memory/4916-191-0x0000000000A20000-0x0000000001254000-memory.dmpFilesize
8.2MB
-
memory/4992-236-0x00000000007C0000-0x00000000007C9000-memory.dmpFilesize
36KB
-
memory/4992-231-0x0000000000000000-mapping.dmp
-
memory/4992-235-0x00000000007D0000-0x00000000007D5000-memory.dmpFilesize
20KB
-
memory/4992-267-0x00000000007D0000-0x00000000007D5000-memory.dmpFilesize
20KB
-
memory/5036-246-0x0000000000000000-mapping.dmp
-
memory/5128-261-0x00000000009E0000-0x00000000009ED000-memory.dmpFilesize
52KB
-
memory/5128-260-0x00000000009F0000-0x00000000009F7000-memory.dmpFilesize
28KB
-
memory/5128-259-0x0000000000000000-mapping.dmp
-
memory/5156-263-0x0000000000AD0000-0x0000000000AD8000-memory.dmpFilesize
32KB
-
memory/5156-264-0x0000000000AC0000-0x0000000000ACB000-memory.dmpFilesize
44KB
-
memory/5156-262-0x0000000000000000-mapping.dmp
-
memory/5264-274-0x0000000000000000-mapping.dmp
-
memory/5264-275-0x0000000000400000-0x000000000052A000-memory.dmpFilesize
1.2MB
-
memory/5392-279-0x0000000000000000-mapping.dmp
-
memory/5516-281-0x0000000000000000-mapping.dmp