smokeloader | 3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
Size

185KB
MD5

e4603be20f92b7c48490d337b3ae9a11
SHA1

381a23e57277d6c31951f67b1e6244c22e4d6d76
SHA256

3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8
SHA512

8009c40a2fc2f26f9a84a92cd9a73c0fe0eda9d81848dfe54f01031a15ae759278d2844bd81c52e26b40e42610d16913498e0538568900fd75adc213b35b062f
SSDEEP

3072:MOy5Yf2HyYkTkwlGYZZH80OibZH/9gqqGtzRMEuoPSZN2BIwacI8EjN5gD:aecIkwYccyZVgqqGKZNUi35g

Score

10^/10

smokeloader agilenet backdoor microsoft evasion persistence phishing themida trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4268-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

7B2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7B2.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7B2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7B2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7B2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7B2.exe

Executes dropped EXE 5 IoCs

Processes:

F4D4.exe7B2.exeE79.exe1D10.exe23A9.exe

pid process

3668 F4D4.exe
4076 7B2.exe
3704 E79.exe
4140 1D10.exe
1184 23A9.exe

pid	process
3668	F4D4.exe
4076	7B2.exe
3704	E79.exe
4140	1D10.exe
1184	23A9.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4076-259-0x0000000000290000-0x0000000000AC4000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7B2.exe	themida
C:\Users\Admin\AppData\Local\Temp\7B2.exe	themida
behavioral1/memory/4076-259-0x0000000000290000-0x0000000000AC4000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7B2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7B2.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7B2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

E79.exe23A9.exe

description	pid	process	target process
PID 3704 set thread context of 2308	3704	E79.exe	AppLaunch.exe
PID 1184 set thread context of 4880	1184	23A9.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\382e2288-397d-46aa-b783-6f7584dd7356.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230217161222.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

1D10.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityModeType = "843439797"	1D10.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe

pid	process
4268	3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
4268	3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

676

pid	process
676

Suspicious behavior: MapViewOfSection 43 IoCs

Processes:

3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exeexplorer.exe

pid	process
4268	3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
676
676
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeDebugPrivilege	2308	AppLaunch.exe
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

msedge.exe

pid process

4716 msedge.exe
676
676
4716 msedge.exe
676
4716 msedge.exe
676
676
676
676
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1D10.exe

pid process

4140 1D10.exe
4140 1D10.exe

pid	process
4716	msedge.exe
676
676
4716	msedge.exe
676
4716	msedge.exe
676
676
676
676

pid	process
4140	1D10.exe
4140	1D10.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E79.exe23A9.exe7B2.exemsedge.exeexplorer.exe

description	pid	process	target process
PID 676 wrote to memory of 3668	676		F4D4.exe
PID 676 wrote to memory of 3668	676		F4D4.exe
PID 676 wrote to memory of 4076	676		7B2.exe
PID 676 wrote to memory of 4076	676		7B2.exe
PID 676 wrote to memory of 4076	676		7B2.exe
PID 676 wrote to memory of 3704	676		E79.exe
PID 676 wrote to memory of 3704	676		E79.exe
PID 676 wrote to memory of 3704	676		E79.exe
PID 3704 wrote to memory of 2308	3704	E79.exe	AppLaunch.exe
PID 3704 wrote to memory of 2308	3704	E79.exe	AppLaunch.exe
PID 3704 wrote to memory of 2308	3704	E79.exe	AppLaunch.exe
PID 3704 wrote to memory of 2308	3704	E79.exe	AppLaunch.exe
PID 3704 wrote to memory of 2308	3704	E79.exe	AppLaunch.exe
PID 676 wrote to memory of 4140	676		1D10.exe
PID 676 wrote to memory of 4140	676		1D10.exe
PID 676 wrote to memory of 1184	676		23A9.exe
PID 676 wrote to memory of 1184	676		23A9.exe
PID 676 wrote to memory of 1184	676		23A9.exe
PID 676 wrote to memory of 1780	676		explorer.exe
PID 676 wrote to memory of 1780	676		explorer.exe
PID 676 wrote to memory of 1780	676		explorer.exe
PID 676 wrote to memory of 1780	676		explorer.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 1184 wrote to memory of 4880	1184	23A9.exe	InstallUtil.exe
PID 676 wrote to memory of 1788	676		explorer.exe
PID 676 wrote to memory of 1788	676		explorer.exe
PID 676 wrote to memory of 1788	676		explorer.exe
PID 676 wrote to memory of 948	676		explorer.exe
PID 676 wrote to memory of 948	676		explorer.exe
PID 676 wrote to memory of 948	676		explorer.exe
PID 676 wrote to memory of 948	676		explorer.exe
PID 676 wrote to memory of 3380	676		explorer.exe
PID 676 wrote to memory of 3380	676		explorer.exe
PID 676 wrote to memory of 3380	676		explorer.exe
PID 676 wrote to memory of 3776	676		explorer.exe
PID 676 wrote to memory of 3776	676		explorer.exe
PID 676 wrote to memory of 3776	676		explorer.exe
PID 676 wrote to memory of 3776	676		explorer.exe
PID 676 wrote to memory of 4744	676		explorer.exe
PID 676 wrote to memory of 4744	676		explorer.exe
PID 676 wrote to memory of 4744	676		explorer.exe
PID 676 wrote to memory of 4744	676		explorer.exe
PID 676 wrote to memory of 3952	676		explorer.exe
PID 676 wrote to memory of 3952	676		explorer.exe
PID 676 wrote to memory of 3952	676		explorer.exe
PID 676 wrote to memory of 3952	676		explorer.exe
PID 4076 wrote to memory of 4716	4076	7B2.exe	msedge.exe
PID 4076 wrote to memory of 4716	4076	7B2.exe	msedge.exe
PID 4716 wrote to memory of 544	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 544	4716	msedge.exe	msedge.exe
PID 676 wrote to memory of 2320	676		explorer.exe
PID 676 wrote to memory of 2320	676		explorer.exe
PID 676 wrote to memory of 2320	676		explorer.exe
PID 1788 wrote to memory of 4716	1788	explorer.exe	msedge.exe
PID 1788 wrote to memory of 4716	1788	explorer.exe	msedge.exe
PID 1788 wrote to memory of 544	1788	explorer.exe	msedge.exe
PID 4716 wrote to memory of 4600	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4600	4716	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe
"C:\Users\Admin\AppData\Local\Temp\3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4268

C:\Users\Admin\AppData\Local\Temp\F4D4.exe
C:\Users\Admin\AppData\Local\Temp\F4D4.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\AppData\Local\Temp\7B2.exe
C:\Users\Admin\AppData\Local\Temp\7B2.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7B2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80a3446f8,0x7ff80a344708,0x7ff80a344718
3⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
3⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
3⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
3⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 /prefetch:8
3⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
3⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
3⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
3⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 /prefetch:8
3⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
3⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
3⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:8
3⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff734b25460,0x7ff734b25470,0x7ff734b25480
4⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:8
3⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6960 /prefetch:8
3⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
3⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,1228311423089767813,7741247496882617146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6708 /prefetch:8
3⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7B2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80a3446f8,0x7ff80a344708,0x7ff80a344718
3⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\E79.exe
C:\Users\Admin\AppData\Local\Temp\E79.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\1D10.exe
C:\Users\Admin\AppData\Local\Temp\1D10.exe
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Users\Admin\AppData\Local\Temp\23A9.exe
C:\Users\Admin\AppData\Local\Temp\23A9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:4880

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1780

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4744

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
77c5176b80498efa00b6017129739c95

SHA1
b687aceede3bb326320a8ac6f652d3cbc5482635

SHA256
f0a2332f3aead2f03825b552d03d66574b3877ef4a0b9f0d61c99e71b721a413

SHA512
db6984d885a42f1fcc9a6598540d8c94744a74f09822eccddb8d9e81cd7cf2a54689720af729dd99bf97a482963e5939e71ae62e24251c1bd2f6ce8c30fd5301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D10.exe
Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D10.exe
Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23A9.exe
Filesize
1.3MB

MD5
433683a8367e80c10c1e8cb26dc39b63

SHA1
0aab236dd4708fd4956393513062b378452e739c

SHA256
a7108944d940fb1c8c36f50083ca9d53fef4224afaef75084a97d7488489e46c

SHA512
bd01bb70ae4c1e5011eb56c7be6c17e49300389c3afeb13b37c7e8fc95612b86c3a229d0cfb34a0f7be8f0a7acb9bb13851fc4a62df5e9760f080f09004fe31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23A9.exe
Filesize
1.3MB

MD5
433683a8367e80c10c1e8cb26dc39b63

SHA1
0aab236dd4708fd4956393513062b378452e739c

SHA256
a7108944d940fb1c8c36f50083ca9d53fef4224afaef75084a97d7488489e46c

SHA512
bd01bb70ae4c1e5011eb56c7be6c17e49300389c3afeb13b37c7e8fc95612b86c3a229d0cfb34a0f7be8f0a7acb9bb13851fc4a62df5e9760f080f09004fe31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B2.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B2.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E79.exe
Filesize
344KB

MD5
0907dc351caecbe56e4ae22c041efd17

SHA1
019335863db510b409415c574764c7728a5831ec

SHA256
9aef4e5ba4269eeaf266e914e7d48b9ed3e947da9345ec7a9d9e860d6798ea3d

SHA512
61518ad3b9c29ff7d53ab755ca0a4ee66a1e522cf0cd30d7baceb2597dab0c4896597207a0eaf5acfef5b0b5a08b52e9267ebd24ec5f6d15349ac97dcacdcee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E79.exe
Filesize
344KB

MD5
0907dc351caecbe56e4ae22c041efd17

SHA1
019335863db510b409415c574764c7728a5831ec

SHA256
9aef4e5ba4269eeaf266e914e7d48b9ed3e947da9345ec7a9d9e860d6798ea3d

SHA512
61518ad3b9c29ff7d53ab755ca0a4ee66a1e522cf0cd30d7baceb2597dab0c4896597207a0eaf5acfef5b0b5a08b52e9267ebd24ec5f6d15349ac97dcacdcee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4D4.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4D4.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
Filesize
2KB

MD5
66e89b3a7fbc75b70be7365e243f52c0

SHA1
9b064cad10d02e30e77d6ca441ace7b07b37bad2

SHA256
60c8130e824b051d712785ae6da9cd49aa54b27363a08e0bb6f989fd03b1ad2a

SHA512
9420325a1148247ce191040c7149f737955cad8720603bd8574ad350eaf104cdd0cd083ec9cfa9f3ad8e45162408fb5a7e166b1b990ff4d0d8b5c2e1d72e4832

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
b7cd28b5d8b1504d0199d5a1e0898b7c

SHA1
02769bbd7b80f87eafa79e7afc9a61de0464500f

SHA256
b71406c23b18744a4b50ed127ff647eeb3b316761853b34973bd2750dfeccffd

SHA512
712c2478753b692bece611760af128e25fd077a05fd5bb418b5731f5896791b9a84a2b5e0a7a59172139ee7a42661fc626cf1329e2b8a6eb4801c8f06c63bd6d

Download Submit
\??\pipe\LOCAL\crashpad_4716_QWZUJQSELWKIAPOU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/544-236-0x00000265C0990000-0x00000265C099F000-memory.dmp

Filesize
60KB

Download
memory/544-222-0x0000000000000000-mapping.dmp

Download
memory/676-145-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-144-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-151-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-152-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-153-0x00000000078C0000-0x00000000078D0000-memory.dmp

Filesize
64KB

Download
memory/676-154-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-155-0x00000000082B0000-0x00000000082C0000-memory.dmp

Filesize
64KB

Download
memory/676-157-0x00000000082B0000-0x00000000082C0000-memory.dmp

Filesize
64KB

Download
memory/676-156-0x00000000082B0000-0x00000000082C0000-memory.dmp

Filesize
64KB

Download
memory/676-158-0x00000000082B0000-0x00000000082C0000-memory.dmp

Filesize
64KB

Download
memory/676-159-0x00000000082B0000-0x00000000082C0000-memory.dmp

Filesize
64KB

Download
memory/676-160-0x00000000082B0000-0x00000000082C0000-memory.dmp

Filesize
64KB

Download
memory/676-149-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-148-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-147-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-136-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-146-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-150-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-143-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-142-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-137-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-141-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-140-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-139-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/676-138-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/948-209-0x00000000009B0000-0x00000000009B9000-memory.dmp

Filesize
36KB

Download
memory/948-208-0x00000000009C0000-0x00000000009C5000-memory.dmp

Filesize
20KB

Download
memory/948-207-0x0000000000000000-mapping.dmp

Download
memory/948-262-0x00000000009C0000-0x00000000009C5000-memory.dmp

Filesize
20KB

Download
memory/1184-196-0x0000000000000000-mapping.dmp

Download
memory/1472-242-0x0000000000000000-mapping.dmp

Download
memory/1516-261-0x0000000000000000-mapping.dmp

Download
memory/1780-203-0x0000000000D80000-0x0000000000D8B000-memory.dmp

Filesize
44KB

Download
memory/1780-202-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/1780-199-0x0000000000000000-mapping.dmp

Download
memory/1780-251-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/1788-204-0x0000000000000000-mapping.dmp

Download
memory/1788-205-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/1788-253-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/1788-206-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/2280-234-0x0000000000000000-mapping.dmp

Download
memory/2280-240-0x00000000007B0000-0x00000000007BB000-memory.dmp

Filesize
44KB

Download
memory/2280-238-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2280-272-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2308-182-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/2308-192-0x0000000007F40000-0x000000000846C000-memory.dmp

Filesize
5.2MB

Download
memory/2308-276-0x0000000000000000-mapping.dmp

Download
memory/2308-185-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2308-184-0x0000000005130000-0x000000000516C000-memory.dmp

Filesize
240KB

Download
memory/2308-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-186-0x0000000006510000-0x0000000006AB4000-memory.dmp

Filesize
5.6MB

Download
memory/2308-187-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/2308-183-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/2308-175-0x0000000000000000-mapping.dmp

Download
memory/2308-181-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/2308-188-0x00000000060E0000-0x0000000006130000-memory.dmp

Filesize
320KB

Download
memory/2308-191-0x0000000007840000-0x0000000007A02000-memory.dmp

Filesize
1.8MB

Download
memory/2308-190-0x0000000006150000-0x000000000616E000-memory.dmp

Filesize
120KB

Download
memory/2308-189-0x00000000061B0000-0x0000000006226000-memory.dmp

Filesize
472KB

Download
memory/2320-225-0x0000000000000000-mapping.dmp

Download
memory/2320-227-0x00000000012A0000-0x00000000012AD000-memory.dmp

Filesize
52KB

Download
memory/2320-226-0x00000000012B0000-0x00000000012B7000-memory.dmp

Filesize
28KB

Download
memory/2348-281-0x0000000000000000-mapping.dmp

Download
memory/2740-252-0x000001B5AC3F0000-0x000001B5AC3FF000-memory.dmp

Filesize
60KB

Download
memory/2740-235-0x0000000000000000-mapping.dmp

Download
memory/2948-283-0x0000000000000000-mapping.dmp

Download
memory/3300-248-0x0000012456800000-0x000001245680F000-memory.dmp

Filesize
60KB

Download
memory/3300-231-0x0000000000000000-mapping.dmp

Download
memory/3300-274-0x0000012456800000-0x000001245680F000-memory.dmp

Filesize
60KB

Download
memory/3344-266-0x0000000000000000-mapping.dmp

Download
memory/3380-212-0x00000000007D0000-0x00000000007D6000-memory.dmp

Filesize
24KB

Download
memory/3380-210-0x0000000000000000-mapping.dmp

Download
memory/3380-213-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/3444-279-0x0000000000000000-mapping.dmp

Download
memory/3528-250-0x0000000000000000-mapping.dmp

Download
memory/3556-246-0x0000000000000000-mapping.dmp

Download
memory/3640-275-0x0000000000000000-mapping.dmp

Download
memory/3668-164-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/3668-165-0x00007FF809890000-0x00007FF80A351000-memory.dmp

Filesize
10.8MB

Download
memory/3668-161-0x0000000000000000-mapping.dmp

Download
memory/3676-258-0x0000000000000000-mapping.dmp

Download
memory/3704-172-0x0000000000000000-mapping.dmp

Download
memory/3776-216-0x0000000000EA0000-0x0000000000EC7000-memory.dmp

Filesize
156KB

Download
memory/3776-214-0x0000000000000000-mapping.dmp

Download
memory/3776-263-0x0000000000ED0000-0x0000000000EF2000-memory.dmp

Filesize
136KB

Download
memory/3776-215-0x0000000000ED0000-0x0000000000EF2000-memory.dmp

Filesize
136KB

Download
memory/3936-255-0x0000000000000000-mapping.dmp

Download
memory/3952-224-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

Filesize
44KB

Download
memory/3952-220-0x0000000000000000-mapping.dmp

Download
memory/3952-271-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/3952-223-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/4076-211-0x0000000000290000-0x0000000000AC4000-memory.dmp

Filesize
8.2MB

Download
memory/4076-166-0x0000000000000000-mapping.dmp

Download
memory/4076-169-0x0000000000290000-0x0000000000AC4000-memory.dmp

Filesize
8.2MB

Download
memory/4076-259-0x0000000000290000-0x0000000000AC4000-memory.dmp

Filesize
8.2MB

Download
memory/4140-193-0x0000000000000000-mapping.dmp

Download
memory/4268-135-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4268-134-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4268-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/4268-132-0x0000000000721000-0x0000000000734000-memory.dmp

Filesize
76KB

Download
memory/4552-268-0x0000000000000000-mapping.dmp

Download
memory/4600-247-0x000002802F540000-0x000002802F54F000-memory.dmp

Filesize
60KB

Download
memory/4600-230-0x0000000000000000-mapping.dmp

Download
memory/4716-221-0x0000000000000000-mapping.dmp

Download
memory/4716-228-0x000001FE25720000-0x000001FE2572F000-memory.dmp

Filesize
60KB

Download
memory/4744-217-0x0000000000000000-mapping.dmp

Download
memory/4744-218-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/4744-264-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/4744-219-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/4796-254-0x0000000000000000-mapping.dmp

Download
memory/4804-270-0x0000000000000000-mapping.dmp

Download
memory/4812-239-0x0000000000000000-mapping.dmp

Download
memory/4880-201-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4880-200-0x0000000000000000-mapping.dmp

Download
memory/5092-273-0x0000000000000000-mapping.dmp

Download