snakekeylogger | c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Size

692KB
MD5

f0683bb61a43a8dd7061dbd8ee3af88b
SHA1

c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA512

7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
SSDEEP

12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH

Score

10^/10

snakekeylogger microsoft evasion keylogger persistence phishing stealer trojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.gkas.com.tr
Port:
587
Username:
[email protected]
Password:
Gkasteknik@2022

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2808-23-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exec9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

952 svchost.exe

pid	process
952	svchost.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 952 set thread context of 2808 952 svchost.exe aspnet_wp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2328 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

928 timeout.exe

description	pid	process	target process
PID 952 set thread context of 2808	952	svchost.exe	aspnet_wp.exe

pid	process
2328	schtasks.exe

pid	process
928	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exepowershell.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
3208	powershell.exe
3208	powershell.exe
1464	msedge.exe
1464	msedge.exe
4352	msedge.exe
4352	msedge.exe
1528	identity_helper.exe
1528	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4352 msedge.exe
4352 msedge.exe
4352 msedge.exe
4352 msedge.exe
4352 msedge.exe
4352 msedge.exe
4352 msedge.exe
4352 msedge.exe
4352 msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Token: SeDebugPrivilege	952	svchost.exe
Token: SeDebugPrivilege	3208	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.execmd.execmd.exesvchost.exeaspnet_wp.exemsedge.exe

description	pid	process	target process
PID 1400 wrote to memory of 3732	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 1400 wrote to memory of 3732	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 1400 wrote to memory of 3732	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 1400 wrote to memory of 320	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 1400 wrote to memory of 320	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 1400 wrote to memory of 320	1400	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 3732 wrote to memory of 2328	3732	cmd.exe	schtasks.exe
PID 3732 wrote to memory of 2328	3732	cmd.exe	schtasks.exe
PID 3732 wrote to memory of 2328	3732	cmd.exe	schtasks.exe
PID 320 wrote to memory of 928	320	cmd.exe	timeout.exe
PID 320 wrote to memory of 928	320	cmd.exe	timeout.exe
PID 320 wrote to memory of 928	320	cmd.exe	timeout.exe
PID 320 wrote to memory of 952	320	cmd.exe	svchost.exe
PID 320 wrote to memory of 952	320	cmd.exe	svchost.exe
PID 320 wrote to memory of 952	320	cmd.exe	svchost.exe
PID 952 wrote to memory of 3208	952	svchost.exe	powershell.exe
PID 952 wrote to memory of 3208	952	svchost.exe	powershell.exe
PID 952 wrote to memory of 3208	952	svchost.exe	powershell.exe
PID 952 wrote to memory of 496	952	svchost.exe	AddInProcess.exe
PID 952 wrote to memory of 496	952	svchost.exe	AddInProcess.exe
PID 952 wrote to memory of 3088	952	svchost.exe	InstallUtil.exe
PID 952 wrote to memory of 3088	952	svchost.exe	InstallUtil.exe
PID 952 wrote to memory of 3088	952	svchost.exe	InstallUtil.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 952 wrote to memory of 2808	952	svchost.exe	aspnet_wp.exe
PID 2808 wrote to memory of 4352	2808	aspnet_wp.exe	msedge.exe
PID 2808 wrote to memory of 4352	2808	aspnet_wp.exe	msedge.exe
PID 4352 wrote to memory of 3004	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 3004	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe
PID 4352 wrote to memory of 1340	4352	msedge.exe	msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
"C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp396A.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:928

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
4⤵
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94c1d46f8,0x7ff94c1d4708,0x7ff94c1d4718
6⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
6⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
6⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
6⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
6⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
6⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
6⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
6⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
6⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
6⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
6⤵
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
6⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
6⤵
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94c1d46f8,0x7ff94c1d4708,0x7ff94c1d4718
6⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
13af14ad9b18074d9cf992f873c9c3f6

SHA1
3ce328d1046999f11b0c1e892a88fa1021a868e5

SHA256
e346d6fcca8a6bec80fc1e8be53580120b1f08a7c7624460266dd1eae9a637fa

SHA512
85e54df1617b21c529c27af14b77ba55b62135f16b1458078aaf2f50b666c0d8927b85f9ee004cbbd7e16333e0da150207c3fe8d68aaf3b9ca018b7dd9a3c2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d5f1c5358c8658e8632ed47d8a80165

SHA1
0468ca530ab8f7d0c12de31285c84f1ab695792c

SHA256
95180debaca4144c7e265cb43fec55efb29319f764b0100d78ebb8171b9d6d1e

SHA512
d42c3de9f2fbc941e7da9602d19544730bdb61ae5032b9ffa7a6634f704361e89788320976e7b2f8da414f1f9f55a82af96946c6acca03a154939adeb4679bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b648003dfaa8ddda6e68e7bb5359937

SHA1
0844b3bb1f496002004c84b964b336ff7a83545f

SHA256
30a6cc252fc96f7d02d321b6f8976939913e0123cc824b2b01eeebf1e4225133

SHA512
8e9713064444c6f87c2ba855e61ee874ef6f78bb368b700b3319a438a50e29a1ea05154b60fdae50b7149cec158093e3f8c6a549a4f681ebfe6754ced62b695a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ad74b1336e62de16539f98331047081

SHA1
0677f81e4ebe6b57142d7a06dc22e59749ed3e84

SHA256
b3257df2ac9a3b8a85726b68100328b70a312d960a7954a325d88c58f168ddfe

SHA512
8cec58a5c1b35198b2d7eca6b1d709ed3f284fdea3a8c476a7dcb0f07e12e46d2410992481d8c70c351c1f4cd016f0db6e99c92e028eabe6a5a0155b6a871cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
15ad31a14e9a92d2937174141e80c28d

SHA1
b09e8d44c07123754008ba2f9ff4b8d4e332d4e5

SHA256
bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde

SHA512
ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9e8bfaafaefac70b6bfe440fd3beeb0b

SHA1
3f0724be0714de1279bf5e9272bbea12b3499ec2

SHA256
e3c07232f1281e08a2b7915c53c1a002aafefc36136e3e3188adce2585b11f33

SHA512
d4d7bc29bde21d2098258e734de01fee6c593cb033a11b71db8c1e30a3de369769f3899bfa6d36b66f3a6dfe080994ac13a33b670a98cae331fcb0171c18afd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c8f8.TMP

Filesize
371B

MD5
7433e60501ea54690f965d1f7477fadf

SHA1
0e10b0a0cb423e9b0819b9866dce8d00e5bc0e59

SHA256
71fb0fee39e0c50c431aad2aabfa9a1185c0898d9e85a3a63e24a930f83a7721

SHA512
0460c03f9bad48b229ff078081ae81e15b4d78f33d4c1f9de878bd916e6ff00e21c84ffc888efe11bbe00be889d8aea3ee76186255b93f9e63b180ec59d60183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b38e44fb-a3aa-45cb-b014-f45fe91d163f.tmp

Filesize
10KB

MD5
7c0d64d7da3a4ade759f42b985f6007b

SHA1
72175747296f99489d254bada2d765208c12f590

SHA256
a20db4da4524f13f96cd615855db08bfc779aa43b9f2612ba771d2a8c1a82a88

SHA512
93bdedc7355cc24695d123f488ea8969d8120ef285967d1034b37223d78b9d70bc769f7bf8b60517ec3751cf293c1e472e6db1dd6f0e3113c4ebeb8ac0d41069

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hplvbaju.yzy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp396A.tmp.bat

Filesize
151B

MD5
c9344e82f9c4ebdd99651804f18eb38f

SHA1
66ce921dcb85bb508b812ad0c2f7a381161ddc4b

SHA256
4255de1392dea0a059e5e3c77ef4ad828038eb153ea87d977676b52a150d0094

SHA512
37f7177489feb12e44d212a10d92452634d37bdae07f15175054144dfe1a6b3d68b2de7e998d5e30a3685a34869a4ffa99dfb5dac4359d5ee86bc7bbe8683eb6

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
692KB

MD5
f0683bb61a43a8dd7061dbd8ee3af88b

SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989

SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
692KB

MD5
f0683bb61a43a8dd7061dbd8ee3af88b

SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989

SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

Download Submit
\??\pipe\LOCAL\crashpad_4352_MCMLMZMUYKGDFMAS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/952-26-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/952-19-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/1400-5-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1400-14-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1400-9-0x0000000005C70000-0x0000000005C8A000-memory.dmp

Filesize
104KB

Download
memory/1400-8-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1400-7-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1400-6-0x0000000005A00000-0x0000000005A70000-memory.dmp

Filesize
448KB

Download
memory/1400-4-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/1400-3-0x00000000062F0000-0x0000000006894000-memory.dmp

Filesize
5.6MB

Download
memory/1400-0-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1400-2-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/1400-1-0x0000000000D30000-0x0000000000DE2000-memory.dmp

Filesize
712KB

Download
memory/2808-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3208-21-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3208-84-0x0000000006F70000-0x0000000006FA2000-memory.dmp

Filesize
200KB

Download
memory/3208-89-0x000000006F440000-0x000000006F48C000-memory.dmp

Filesize
304KB

Download
memory/3208-101-0x0000000006F30000-0x0000000006F4E000-memory.dmp

Filesize
120KB

Download
memory/3208-104-0x0000000007B60000-0x0000000007C03000-memory.dmp

Filesize
652KB

Download
memory/3208-108-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/3208-109-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download
memory/3208-114-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3208-115-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

Filesize
40KB

Download
memory/3208-117-0x0000000007F00000-0x0000000007F96000-memory.dmp

Filesize
600KB

Download
memory/3208-122-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/3208-123-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/3208-124-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/3208-125-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

Filesize
56KB

Download
memory/3208-126-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

Filesize
80KB

Download
memory/3208-127-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

Filesize
104KB

Download
memory/3208-128-0x0000000007FA0000-0x0000000007FA8000-memory.dmp

Filesize
32KB

Download
memory/3208-137-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3208-74-0x000000007F680000-0x000000007F690000-memory.dmp

Filesize
64KB

Download
memory/3208-59-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/3208-41-0x00000000069B0000-0x00000000069FC000-memory.dmp

Filesize
304KB

Download
memory/3208-40-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3208-39-0x00000000064A0000-0x00000000067F4000-memory.dmp

Filesize
3.3MB

Download
memory/3208-29-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/3208-28-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/3208-27-0x00000000059B0000-0x00000000059D2000-memory.dmp

Filesize
136KB

Download
memory/3208-25-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/3208-20-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/3208-22-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download