smokeloader | cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
Size

245KB
MD5

e46053b5c24461d596948f0454e73b58
SHA1

6fc4218945520dfd5f3ad851bd0be6928817152a
SHA256

cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d
SHA512

ac23285029ac7e0b35bdf169ebc9f08a31fb75f413c64848a4b5a54037444ee2a6f7e995fbd2fd0e16f70d2b24b3f5d0e60f9d16c2d5555ac571c51cd5cc7184
SSDEEP

3072:nF2VYvjLKUnOnFh4d81cOtI7IwPNOShYPewvYi/IhxSVUtwh:FkMjLKUQh/lwVO24vp/Ij

Score

10^/10

smokeloader agilenet backdoor microsoft evasion persistence phishing themida trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4644-133-0x0000000000680000-0x0000000000689000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

F93B.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ F93B.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	F93B.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E40C.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\E40C.exe	net_reactor
behavioral1/memory/3964-160-0x00000000008F0000-0x0000000001166000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F93B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F93B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F93B.exe

Executes dropped EXE 5 IoCs

Processes:

E40C.exeED82.exeF93B.exe206.exe9C8.exe

pid process

3964 E40C.exe
3688 ED82.exe
4880 F93B.exe
3544 206.exe
2744 9C8.exe

pid	process
3964	E40C.exe
3688	ED82.exe
4880	F93B.exe
3544	206.exe
2744	9C8.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4880-262-0x0000000000AF0000-0x0000000001324000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F93B.exe	themida
C:\Users\Admin\AppData\Local\Temp\F93B.exe	themida
behavioral1/memory/4880-262-0x0000000000AF0000-0x0000000001324000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

F93B.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F93B.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F93B.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

E40C.exe206.exe

description	pid	process	target process
PID 3964 set thread context of 556	3964	E40C.exe	InstallUtil.exe
PID 3544 set thread context of 4484	3544	206.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\da1da795-6f3e-4274-b5c1-bc3708e5e350.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230218213222.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3984 3544 WerFault.exe 206.exe

pid	pid_target	process	target process
3984	3544	WerFault.exe	206.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe

pid	process
4644	cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
4644	cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764
2764

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2764

pid	process
2764

Suspicious behavior: MapViewOfSection 41 IoCs

Processes:

cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exeexplorer.exe

pid	process
4644	cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
2764
2764
2764
2764
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2764
2764
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2764
2764
2448	explorer.exe
2448	explorer.exe
2764
2764
2448	explorer.exe
2448	explorer.exe
2764
2764
2448	explorer.exe
2448	explorer.exe
2764
2764
2764
2764
2448	explorer.exe
2448	explorer.exe
2764
2764
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe
2448	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe

pid	process
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

E40C.exevbc.exe

description	pid	process
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeDebugPrivilege	3964	E40C.exe
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeDebugPrivilege	4484	vbc.exe
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764
Token: SeShutdownPrivilege	2764
Token: SeCreatePagefilePrivilege	2764

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msedge.exe

pid process

2588 msedge.exe
2764
2764
2764
2588 msedge.exe
2764
2764
2764
2764

pid	process
2588	msedge.exe
2764
2764
2764
2588	msedge.exe
2764
2764
2764
2764

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E40C.exe206.exeF93B.exemsedge.exe

description	pid	process	target process
PID 2764 wrote to memory of 3964	2764		E40C.exe
PID 2764 wrote to memory of 3964	2764		E40C.exe
PID 2764 wrote to memory of 3688	2764		ED82.exe
PID 2764 wrote to memory of 3688	2764		ED82.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 3964 wrote to memory of 556	3964	E40C.exe	InstallUtil.exe
PID 2764 wrote to memory of 4880	2764		F93B.exe
PID 2764 wrote to memory of 4880	2764		F93B.exe
PID 2764 wrote to memory of 4880	2764		F93B.exe
PID 2764 wrote to memory of 3544	2764		206.exe
PID 2764 wrote to memory of 3544	2764		206.exe
PID 2764 wrote to memory of 3544	2764		206.exe
PID 3544 wrote to memory of 4484	3544	206.exe	vbc.exe
PID 3544 wrote to memory of 4484	3544	206.exe	vbc.exe
PID 3544 wrote to memory of 4484	3544	206.exe	vbc.exe
PID 3544 wrote to memory of 4484	3544	206.exe	vbc.exe
PID 3544 wrote to memory of 4484	3544	206.exe	vbc.exe
PID 2764 wrote to memory of 2744	2764		9C8.exe
PID 2764 wrote to memory of 2744	2764		9C8.exe
PID 4880 wrote to memory of 2588	4880	F93B.exe	msedge.exe
PID 4880 wrote to memory of 2588	4880	F93B.exe	msedge.exe
PID 2588 wrote to memory of 3936	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3936	2588	msedge.exe	msedge.exe
PID 2764 wrote to memory of 4848	2764		explorer.exe
PID 2764 wrote to memory of 4848	2764		explorer.exe
PID 2764 wrote to memory of 4848	2764		explorer.exe
PID 2764 wrote to memory of 4848	2764		explorer.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 3644	2588	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe
"C:\Users\Admin\AppData\Local\Temp\cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4644

C:\Users\Admin\AppData\Local\Temp\E40C.exe
C:\Users\Admin\AppData\Local\Temp\E40C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\ED82.exe
C:\Users\Admin\AppData\Local\Temp\ED82.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\AppData\Local\Temp\F93B.exe
C:\Users\Admin\AppData\Local\Temp\F93B.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F93B.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9e1846f8,0x7ffd9e184708,0x7ffd9e184718
3⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
3⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
3⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
3⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
3⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 /prefetch:8
3⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5484 /prefetch:8
3⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
3⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
3⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
3⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 /prefetch:8
3⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70a4d5460,0x7ff70a4d5470,0x7ff70a4d5480
4⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 /prefetch:8
3⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
3⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
3⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,14637838850890680188,14524082263298055361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
3⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F93B.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9e1846f8,0x7ffd9e184708,0x7ffd9e184718
3⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\206.exe
C:\Users\Admin\AppData\Local\Temp\206.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 248
2⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3544 -ip 3544
1⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\9C8.exe
C:\Users\Admin\AppData\Local\Temp\9C8.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:564

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2448

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1532

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c71cb7463c49e125cbae14ac265cf18f

SHA1
4430c030546d725e7f6e5584f139e012e9214f06

SHA256
1eb6d93849a5c52e9b381fc0abd82b401e2d1e5dfbedd48a3cff50e91e758018

SHA512
2f1317d23dfe8c39760e51900cfaed49a2ba4675f0904ec033252e037e0eb935e59b4cc0b8c11c4acd7cfbddf0d9d461f5a66504494863c2bb7781aa3c000eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
112KB

MD5
30e375798049100677ea16b7c578a4ee

SHA1
bcab7401a5f34ac0e6f795ece8d3ed12944ae99f

SHA256
ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce

SHA512
f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582

Download Submit
C:\Users\Admin\AppData\Local\Temp\206.exe
Filesize
1.1MB

MD5
b5cd4deb250cbeda544d8622d7ed90bf

SHA1
d8f784eba044a176e935cd6bc9a97d346a810c98

SHA256
8f4b3502e38100486b960ef7d7aea1c43ba2ba38f5d31439b1ae9324c3f43621

SHA512
1a828445c797a4af0279eb2d0ba2e973b2768da5eeec6ebc42c104a1bf689268798380b8da2496757d7ee0e61f10cadadc7369fb5cb535d13260d7721562f2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\206.exe
Filesize
1.1MB

MD5
b5cd4deb250cbeda544d8622d7ed90bf

SHA1
d8f784eba044a176e935cd6bc9a97d346a810c98

SHA256
8f4b3502e38100486b960ef7d7aea1c43ba2ba38f5d31439b1ae9324c3f43621

SHA512
1a828445c797a4af0279eb2d0ba2e973b2768da5eeec6ebc42c104a1bf689268798380b8da2496757d7ee0e61f10cadadc7369fb5cb535d13260d7721562f2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C8.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C8.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\E40C.exe
Filesize
8.4MB

MD5
d38e84427edbc6789f1bb12ae69c6dc5

SHA1
718aa1778e1ad4a23b53adea4dbabeeb39b89f94

SHA256
bd4e3e2c455b2322b4b874a319a14c638e6b567c7c1e83edc839ac05aee1a6a4

SHA512
271966fc13137d5cda7eb9283c3c9c77361dd10d37eef713d0ac9c08326d930c1202d7470f1f2ad9e66f2a798354f09ce846139a8e2ca2b91d7719c215a68948

Download Submit
C:\Users\Admin\AppData\Local\Temp\E40C.exe
Filesize
8.4MB

MD5
d38e84427edbc6789f1bb12ae69c6dc5

SHA1
718aa1778e1ad4a23b53adea4dbabeeb39b89f94

SHA256
bd4e3e2c455b2322b4b874a319a14c638e6b567c7c1e83edc839ac05aee1a6a4

SHA512
271966fc13137d5cda7eb9283c3c9c77361dd10d37eef713d0ac9c08326d930c1202d7470f1f2ad9e66f2a798354f09ce846139a8e2ca2b91d7719c215a68948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED82.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED82.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F93B.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F93B.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
Filesize
2KB

MD5
aa6177920a1f1faa71a23149d3e10000

SHA1
d8d63750f407e13ec0bcaeebe86a10113f1005de

SHA256
9edf4bbb69df53180c55b48ab369945cd802ef042b8a29b3c081a6a0f376049b

SHA512
fc03bc5d8dc41d140ff0082dce16962505b37ca1806f328981c6682e53e1439a21799d142af1f75f377dd66b5aee6ac7f6d22606a51a6ec4fd7eff729d35305b

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
fb2df896fd536d429939552183e6c20c

SHA1
4ce729e31c8888cc3646c18e1e274ba65559ab73

SHA256
b466c806ab7dd724be579bc23abc83617db1772501c9ce5d2b3926b8a72639dc

SHA512
eec9dcaf7f0af1d666a1fc28aa47d3e8bb7632478ae47db71874a8d1d72f1d49db513c83df2fbc1f4d122d24d46c1fa90d309c93148bfcca2532b1eaf391ac45

Download Submit
\??\pipe\LOCAL\crashpad_2588_ALNGQBGKRVWNGKLX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/556-168-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/556-169-0x00000000004088B8-mapping.dmp

Download
memory/556-171-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/556-173-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1020-285-0x0000000000000000-mapping.dmp

Download
memory/1212-259-0x0000000000000000-mapping.dmp

Download
memory/1352-222-0x0000000000000000-mapping.dmp

Download
memory/1528-242-0x00000244C9080000-0x00000244C908F000-memory.dmp

Filesize
60KB

Download
memory/1528-212-0x0000000000000000-mapping.dmp

Download
memory/1532-255-0x0000000000000000-mapping.dmp

Download
memory/1532-264-0x00000000012B0000-0x00000000012B7000-memory.dmp

Filesize
28KB

Download
memory/1532-265-0x00000000012A0000-0x00000000012AD000-memory.dmp

Filesize
52KB

Download
memory/1532-283-0x00000000012B0000-0x00000000012B7000-memory.dmp

Filesize
28KB

Download
memory/1924-246-0x00000000007C0000-0x00000000007E7000-memory.dmp

Filesize
156KB

Download
memory/1924-245-0x0000000000A00000-0x0000000000A22000-memory.dmp

Filesize
136KB

Download
memory/1924-243-0x0000000000000000-mapping.dmp

Download
memory/1960-220-0x0000000000000000-mapping.dmp

Download
memory/1988-249-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download
memory/1988-281-0x0000000000590000-0x0000000000595000-memory.dmp

Filesize
20KB

Download
memory/1988-248-0x0000000000590000-0x0000000000595000-memory.dmp

Filesize
20KB

Download
memory/1988-247-0x0000000000000000-mapping.dmp

Download
memory/2240-274-0x0000000000000000-mapping.dmp

Download
memory/2448-278-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/2448-216-0x0000000000830000-0x000000000083F000-memory.dmp

Filesize
60KB

Download
memory/2448-215-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/2448-213-0x0000000000000000-mapping.dmp

Download
memory/2468-268-0x0000000000000000-mapping.dmp

Download
memory/2468-270-0x0000000000530000-0x000000000053B000-memory.dmp

Filesize
44KB

Download
memory/2468-269-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2564-257-0x0000000000000000-mapping.dmp

Download
memory/2588-217-0x00000193D7990000-0x00000193D799F000-memory.dmp

Filesize
60KB

Download
memory/2588-198-0x0000000000000000-mapping.dmp

Download
memory/2744-193-0x0000000000000000-mapping.dmp

Download
memory/2744-196-0x00007FFD9C630000-0x00007FFD9D0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2764-154-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/2764-138-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-136-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-137-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-156-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/2764-153-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/2764-155-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/2764-139-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-162-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/2764-152-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-140-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-151-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-150-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-149-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-148-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-147-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-141-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-146-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-145-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-143-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-144-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2764-142-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3012-229-0x0000000001450000-0x0000000001455000-memory.dmp

Filesize
20KB

Download
memory/3012-224-0x0000000000000000-mapping.dmp

Download
memory/3012-279-0x0000000001450000-0x0000000001455000-memory.dmp

Filesize
20KB

Download
memory/3012-230-0x0000000001440000-0x0000000001449000-memory.dmp

Filesize
36KB

Download
memory/3096-254-0x0000000000000000-mapping.dmp

Download
memory/3480-241-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/3480-240-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/3480-236-0x0000000000000000-mapping.dmp

Download
memory/3480-280-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/3484-287-0x0000000000000000-mapping.dmp

Download
memory/3544-180-0x0000000000000000-mapping.dmp

Download
memory/3544-192-0x0000000000440000-0x0000000000558000-memory.dmp

Filesize
1.1MB

Download
memory/3584-235-0x0000000000000000-mapping.dmp

Download
memory/3620-238-0x0000000000000000-mapping.dmp

Download
memory/3620-261-0x0000000000000000-mapping.dmp

Download
memory/3644-207-0x0000000000000000-mapping.dmp

Download
memory/3644-231-0x0000025EBCA70000-0x0000025EBCA7F000-memory.dmp

Filesize
60KB

Download
memory/3688-166-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/3688-163-0x0000000000000000-mapping.dmp

Download
memory/3688-167-0x00007FFD9C630000-0x00007FFD9D0F1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-199-0x0000000000000000-mapping.dmp

Download
memory/3936-228-0x0000019D8ADE0000-0x0000019D8ADEF000-memory.dmp

Filesize
60KB

Download
memory/3964-157-0x0000000000000000-mapping.dmp

Download
memory/3964-161-0x00007FFD9C630000-0x00007FFD9D0F1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-160-0x00000000008F0000-0x0000000001166000-memory.dmp

Filesize
8.5MB

Download
memory/3964-272-0x0000000000000000-mapping.dmp

Download
memory/3964-172-0x00007FFD9C630000-0x00007FFD9D0F1000-memory.dmp

Filesize
10.8MB

Download
memory/3988-267-0x0000000000000000-mapping.dmp

Download
memory/4056-260-0x0000000000000000-mapping.dmp

Download
memory/4320-239-0x000001DA322D0000-0x000001DA322DF000-memory.dmp

Filesize
60KB

Download
memory/4320-208-0x0000000000000000-mapping.dmp

Download
memory/4468-276-0x0000000000000000-mapping.dmp

Download
memory/4484-190-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/4484-189-0x0000000005DE0000-0x00000000063F8000-memory.dmp

Filesize
6.1MB

Download
memory/4484-209-0x0000000006B80000-0x0000000006BF6000-memory.dmp

Filesize
472KB

Download
memory/4484-200-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/4484-214-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/4484-197-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/4484-191-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/4484-201-0x0000000006CB0000-0x0000000007254000-memory.dmp

Filesize
5.6MB

Download
memory/4484-202-0x00000000067E0000-0x0000000006872000-memory.dmp

Filesize
584KB

Download
memory/4484-218-0x0000000007A80000-0x0000000007AD0000-memory.dmp

Filesize
320KB

Download
memory/4484-223-0x0000000007CA0000-0x0000000007E62000-memory.dmp

Filesize
1.8MB

Download
memory/4484-183-0x0000000000000000-mapping.dmp

Download
memory/4484-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-225-0x00000000083A0000-0x00000000088CC000-memory.dmp

Filesize
5.2MB

Download
memory/4644-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4644-132-0x00000000006CF000-0x00000000006E4000-memory.dmp

Filesize
84KB

Download
memory/4644-134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4644-133-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/4848-277-0x0000000001490000-0x0000000001497000-memory.dmp

Filesize
28KB

Download
memory/4848-205-0x0000000001480000-0x000000000148B000-memory.dmp

Filesize
44KB

Download
memory/4848-204-0x0000000001490000-0x0000000001497000-memory.dmp

Filesize
28KB

Download
memory/4848-203-0x0000000000000000-mapping.dmp

Download
memory/4856-251-0x0000000001490000-0x0000000001496000-memory.dmp

Filesize
24KB

Download
memory/4856-282-0x0000000001490000-0x0000000001496000-memory.dmp

Filesize
24KB

Download
memory/4856-250-0x0000000000000000-mapping.dmp

Download
memory/4856-252-0x0000000001480000-0x000000000148B000-memory.dmp

Filesize
44KB

Download
memory/4880-244-0x0000000000AF0000-0x0000000001324000-memory.dmp

Filesize
8.2MB

Download
memory/4880-174-0x0000000000000000-mapping.dmp

Download
memory/4880-179-0x0000000000AF0000-0x0000000001324000-memory.dmp

Filesize
8.2MB

Download
memory/4880-262-0x0000000000AF0000-0x0000000001324000-memory.dmp

Filesize
8.2MB

Download
memory/5036-271-0x0000000000000000-mapping.dmp

Download