agenttesla | hxxp://chaosracer[.]io/assets/php-back/download[.]php

Analysis

max time kernel
717s
max time network
457s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
02-12-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://chaosracer.io/assets/php-back/download.php

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 830799.crdownload	family_agenttesla
C:\Users\Admin\Downloads\Chaos Racer.exe	family_agenttesla
C:\Users\Admin\Downloads\Chaos Racer.exe	family_agenttesla
behavioral2/memory/3560-265-0x00000000081D0000-0x00000000086A0000-memory.dmp	family_agenttesla
behavioral2/memory/3560-268-0x00000000081D0000-0x00000000086A0000-memory.dmp	family_agenttesla

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Chaos Racer.exemservice32.exemservice64.exe

pid process

3560 Chaos Racer.exe
4352 mservice32.exe
2604 mservice64.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

mservice32.exe

description ioc process

File opened (read-only) \??\F: mservice32.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.db-ip.com
32 api.db-ip.com
11 myexternalip.com

pid	process
3560	Chaos Racer.exe
4352	mservice32.exe
2604	mservice64.exe

description	ioc	process
File opened (read-only)	\??\F:	mservice32.exe

flow	ioc
12	api.db-ip.com
32	api.db-ip.com
11	myexternalip.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeChaos Racer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chaos Racer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chaos Racer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Chaos Racer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2900	taskkill.exe
4832	taskkill.exe
1292	taskkill.exe
4856	taskkill.exe
3912	taskkill.exe
2076	taskkill.exe
3104	taskkill.exe
5108	taskkill.exe
3084	taskkill.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 830799.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 830799.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemservice32.exe

pid	process
4956	msedge.exe
4956	msedge.exe
2404	msedge.exe
2404	msedge.exe
492	msedge.exe
492	msedge.exe
712	identity_helper.exe
712	identity_helper.exe
3020	msedge.exe
3020	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe
4352	mservice32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	3084	taskkill.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exe

pid	process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

4360 MiniSearchHost.exe

pid	process
4360	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2404 wrote to memory of 4780	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4780	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2808	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4956	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4956	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3064	2404	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://chaosracer.io/assets/php-back/download.php
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe0,0xe4,0xe8,0xdc,0x10c,0x7ff9dacc3cb8,0x7ff9dacc3cc8,0x7ff9dacc3cd8
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:492

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1264 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2500 /prefetch:2
2⤵
PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1908

C:\Users\Admin\Downloads\Chaos Racer.exe
"C:\Users\Admin\Downloads\Chaos Racer.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:3560

C:\Users\Admin\AppData\Local\Temp\mservice32.exe
"C:\Users\Admin\AppData\Local\Temp\mservice32.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 2808 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 4956 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 4764 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 2404 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 4780 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 676 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 3064 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 2220 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\taskkill.exe
"taskkill.exe" /PID 2960 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Users\Admin\AppData\Local\Temp\mservice64.exe
"C:\Users\Admin\AppData\Local\Temp\mservice64.exe"
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439cc96156cf343dade9345e6add733d

SHA1
12ae10c8d3698eaa2111449a8b7c972e52e82485

SHA256
760c7f67c10f0a7b2539697f083b5ecf5286596fb90b2de115e9fbad518c8071

SHA512
9f3081c7857a3e7155c1b1170b8c706445b0044eaac6dce45ef95a89ff7e96544a3b6d2d05bbf20cfc6585ba5001c3b24c242600db59c3201db5fa4d8ca1a995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
8989bc5fc6f52d9c37dd72e2868e5441

SHA1
d1918e9a208f3589439bf504dccdb84e06465d92

SHA256
8be4baae74a5b7ce40dde2dcd2819a6eb056ef702a98be5cd0b6957daa986ced

SHA512
3185009e9f1786dc981dcf36b0e1117e461d488cdcaa1313fcccade638b5891c44581f9db18bdf0af1029c518b952c557db6433d0c70ffc4ee8a00c681036c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
366B

MD5
279ae02e565357ee88bbfa40ad97dd50

SHA1
98681f7244f4e226718224f0bcd8b3a5ba00b23e

SHA256
d23cb0892878ec0d27457ffcdfa875e747f0e7ac75bfa6141f14a5fc45e5b0cf

SHA512
52c7359731f499815141359b86e370b2d80166b526291344de37934ab1568e5bfccbb17461ae6128b1150776268e97ac2e34add423e110bcb88ad4d9e9042e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
58c04d110e3e2b293559d6a9518c1f53

SHA1
ec9d3c65d5c6ed7849490927d2caf05032573144

SHA256
74bf0add2706c6a0a09e0cd77aea2e8e1a6a48bcaf4c4aa093af8ce48e1c5a9f

SHA512
bd8e856b420ffb98d8ae1598dead1fa6fc71a8fb8365bc0fa4f763987a725e308eec1003d023ee45877f44ebd5bd1e6d554b52e12e424cdf600b334c5e85394f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5bf758ec42d8ab1f1a86407ed90c00c3

SHA1
42a6a364d6ae488ab06d38a1de713aeb40ef77e1

SHA256
2879a7cf3b4bcc9c6432714993400f14bb269b493bb0333c3fb863aeb7b035e9

SHA512
b2804a5fad92afd15478724d35b0211ae1173cc079ed412870e2ed49337845794048c867554065d20567db5fbe05538c014ebc17c3887650ece47a5d6f9ab067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
79395b1f4f46e89853c8d6bbbd6c2f04

SHA1
0a472822c6880c0ceb6a6fa4c10475f36bf6d461

SHA256
582476e23fda961585f75f73f8ed5d354955ed11b6887ba7b98bc5500037b9f5

SHA512
d4eab6989ee85a8084a2b5f65baf6730aa4a08c3ab351434214613e996804605f0abd0cd65d25f0fc07a0cc2a1d949686481392c6dbb4654ed2f7e1dc8831ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data-wal

Filesize
48KB

MD5
2f64ff5caa28beea2451a8bd4a0825af

SHA1
412f08054c5a720293a936fdb4b2145df7c948c3

SHA256
ae5a8c2c877890ee16863e36f47330b7d7034427ac7c9df2b760a15f213ac017

SHA512
299f388b1deed2078c6e14c20685cac3294868c049d5018ebb9c10560ccbfc9509048e53f3a3541c84d759cdd9c7c0d798634c17406deefe5fcb79c3f226ff2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data-wal

Filesize
48KB

MD5
21c1ff7e61a1ac1eda29bbdcd0aa66de

SHA1
31bb6f7b5cc13c2f8509cc3955a6fa4a40017189

SHA256
363046d039b7c48b287c1434778f1f9cf0182df6111deebd13a22b8a604d0235

SHA512
426beeb826dfdc9c8437dc126ef55874c301e4a0b99fd687bbd29a725dc06904cc72da6714b681a5aa39bbeba607819136a2757d3a799d119237a9f51c1c69b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8f00604be150ddf554ed2c796cd96be

SHA1
a8c0ed548f869d1183daf94438a8d19b05521493

SHA256
bc4e0d3c9a5031453cc8b8df90efe2be64be754340d741f720fcff3000ba0399

SHA512
de021e347f0c68929e61857ca3b1826482dd63f75308fc61a127029a0cf09e4184a4126d8d33ea1227f14fd2cd571f76d5806027242b15a21e327077422e0ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8f00604be150ddf554ed2c796cd96be

SHA1
a8c0ed548f869d1183daf94438a8d19b05521493

SHA256
bc4e0d3c9a5031453cc8b8df90efe2be64be754340d741f720fcff3000ba0399

SHA512
de021e347f0c68929e61857ca3b1826482dd63f75308fc61a127029a0cf09e4184a4126d8d33ea1227f14fd2cd571f76d5806027242b15a21e327077422e0ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5bf628102f796aa20ccf95cf0e3c1dd7

SHA1
589ce095d1cd90d0f5786179983e60daf267b3c4

SHA256
fe4d9ba6378bb00a3d0a43a36e2117d6e3bab40d1f86ee797439f4a0990fddf1

SHA512
178fa021077a88e8707237ab2ca94abe3639ef86ed3767103b6d5de5aa81f85b27ad3627455b16a00fe7415b6b9e85fc3041965003130d48effe2620110b6059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
562841c3a6f60f00cd90b9059aa47f0f

SHA1
d6e48c57b77937e4e6054d602120f163e4932579

SHA256
0d45d55884a67218312a7bc3762b17cee93a0d1eda39c76646df792bd3a20aa6

SHA512
05e3cb7453215ef4968168a3515ca23f07db3ff2a43f7941b76f8abec9ce9bbc939f493725f8181b80c998ebc0d19ebb498d110ed7b4f0dec11f12445a9a5f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing Cookies

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing Cookies-journal

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
22f3f0e6445ae7b8979f821c52ef26f7

SHA1
c8c1d103e3bb79c9a19991d3077197333e0efdd6

SHA256
7494d6548e2af69efbba8619ec8d99f29dc36889cb08e6855e14dfc30ca71127

SHA512
877f39779d5794e691d8092fbe622eb921e2396275f7fab38448ed0aedd42bc8b04429eedfbee045d64a75322b3b87a1358fea32ab957fa49002e7f3e72da55e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
bf578ec243ca1d586bd6e40250db83bd

SHA1
2e429f71cb9b6cd61ff617b4666105684637cb2c

SHA256
d60cb8ff0c98fe68ba862fd84ed41d2a1148d56c8cd9f7f8b960fdfa60c6db00

SHA512
30a6ff54eed467ee7ed5fc23692a634b5e75b3c70b161f61c9c395f4088764a1f71faeb7cfc0cb8df8bf82cd16b66ac3fbdb5f917c55f2c900338ff8ab55b6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mservice32.exe

Filesize
3.6MB

MD5
0e66e87272133b2eec7350dedb1c2afe

SHA1
6a44feec95ada7afc306ef339ac542af6390a87e

SHA256
ae1d41d281843c262664c0b1af77004f617aeace2134593a7ff4b67dc8a5d3a0

SHA512
2f250916a7ef549c875d7a64bb3df8bb22a3cc7420bfd58929a35555eea76d4ccbe12aef7966cd92c529aa8fbd0a62a269f9385567cf23d0779310b3f195acb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mservice32.exe

Filesize
3.6MB

MD5
0e66e87272133b2eec7350dedb1c2afe

SHA1
6a44feec95ada7afc306ef339ac542af6390a87e

SHA256
ae1d41d281843c262664c0b1af77004f617aeace2134593a7ff4b67dc8a5d3a0

SHA512
2f250916a7ef549c875d7a64bb3df8bb22a3cc7420bfd58929a35555eea76d4ccbe12aef7966cd92c529aa8fbd0a62a269f9385567cf23d0779310b3f195acb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mservice64.exe

Filesize
720KB

MD5
e322d24ebf478487ab5af289e9eac1bb

SHA1
a4b50806adbcb38f15b486f0fed734faccd709ed

SHA256
e7502bd80687ebc02775a9b9e1d3c7dcca124617c2b9a1daf402edb25fab414a

SHA512
00083782d21539d71886f08e6a673442f1fb0f648bf4b7c30b5560c4fe629586204a3a70c1c4e04ad2a5e70c9afa8e1fe4ecad68203a21c173046c3fe48b950d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mservice64.exe

Filesize
720KB

MD5
e322d24ebf478487ab5af289e9eac1bb

SHA1
a4b50806adbcb38f15b486f0fed734faccd709ed

SHA256
e7502bd80687ebc02775a9b9e1d3c7dcca124617c2b9a1daf402edb25fab414a

SHA512
00083782d21539d71886f08e6a673442f1fb0f648bf4b7c30b5560c4fe629586204a3a70c1c4e04ad2a5e70c9afa8e1fe4ecad68203a21c173046c3fe48b950d

Download Submit
C:\Users\Admin\Downloads\Chaos Racer.exe

Filesize
154.0MB

MD5
367deb240dcaa6a997fb2b3439a7a8b3

SHA1
0182cdffd241ff90bd2c2ac8a680360a16223aa6

SHA256
35fd94e70ca896543498de925cd7abc84b7b2731d4af5295a1a4ade31dc07930

SHA512
03f59defd4be1a4e49bb0ad67a337881a9cddced208aeaaedae502c757cab630e6056b86534e017294c80ca0b55d43f60ac28c30ca1f9c36c418133cde92f6a8

Download Submit
C:\Users\Admin\Downloads\Chaos Racer.exe

Filesize
154.0MB

MD5
367deb240dcaa6a997fb2b3439a7a8b3

SHA1
0182cdffd241ff90bd2c2ac8a680360a16223aa6

SHA256
35fd94e70ca896543498de925cd7abc84b7b2731d4af5295a1a4ade31dc07930

SHA512
03f59defd4be1a4e49bb0ad67a337881a9cddced208aeaaedae502c757cab630e6056b86534e017294c80ca0b55d43f60ac28c30ca1f9c36c418133cde92f6a8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 830799.crdownload

Filesize
154.0MB

MD5
367deb240dcaa6a997fb2b3439a7a8b3

SHA1
0182cdffd241ff90bd2c2ac8a680360a16223aa6

SHA256
35fd94e70ca896543498de925cd7abc84b7b2731d4af5295a1a4ade31dc07930

SHA512
03f59defd4be1a4e49bb0ad67a337881a9cddced208aeaaedae502c757cab630e6056b86534e017294c80ca0b55d43f60ac28c30ca1f9c36c418133cde92f6a8

Download Submit
\??\pipe\LOCAL\crashpad_2404_NJOLEUQGMTBHMGCJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2604-494-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2604-493-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3560-237-0x0000000006BD0000-0x0000000006BE2000-memory.dmp

Filesize
72KB

Download
memory/3560-234-0x0000000006BD0000-0x0000000006BE2000-memory.dmp

Filesize
72KB

Download
memory/3560-244-0x0000000006C30000-0x0000000006C4D000-memory.dmp

Filesize
116KB

Download
memory/3560-245-0x0000000006D70000-0x0000000006DAA000-memory.dmp

Filesize
232KB

Download
memory/3560-248-0x0000000006D70000-0x0000000006DAA000-memory.dmp

Filesize
232KB

Download
memory/3560-249-0x0000000006EA0000-0x0000000006F89000-memory.dmp

Filesize
932KB

Download
memory/3560-252-0x0000000006EA0000-0x0000000006F89000-memory.dmp

Filesize
932KB

Download
memory/3560-253-0x0000000006C20000-0x0000000006C26000-memory.dmp

Filesize
24KB

Download
memory/3560-256-0x0000000006C20000-0x0000000006C26000-memory.dmp

Filesize
24KB

Download
memory/3560-257-0x0000000006C60000-0x0000000006C69000-memory.dmp

Filesize
36KB

Download
memory/3560-260-0x0000000006C60000-0x0000000006C69000-memory.dmp

Filesize
36KB

Download
memory/3560-261-0x0000000007C40000-0x0000000007CE5000-memory.dmp

Filesize
660KB

Download
memory/3560-264-0x0000000007C40000-0x0000000007CE5000-memory.dmp

Filesize
660KB

Download
memory/3560-265-0x00000000081D0000-0x00000000086A0000-memory.dmp

Filesize
4.8MB

Download
memory/3560-268-0x00000000081D0000-0x00000000086A0000-memory.dmp

Filesize
4.8MB

Download
memory/3560-269-0x0000000006E00000-0x0000000006E05000-memory.dmp

Filesize
20KB

Download
memory/3560-324-0x0000000000520000-0x0000000000D48000-memory.dmp

Filesize
8.2MB

Download
memory/3560-241-0x0000000006C30000-0x0000000006C4D000-memory.dmp

Filesize
116KB

Download
memory/3560-233-0x0000000006B80000-0x0000000006B95000-memory.dmp

Filesize
84KB

Download
memory/3560-230-0x0000000006B80000-0x0000000006B95000-memory.dmp

Filesize
84KB

Download
memory/3560-229-0x0000000006B30000-0x0000000006B4F000-memory.dmp

Filesize
124KB

Download
memory/3560-226-0x0000000006B30000-0x0000000006B4F000-memory.dmp

Filesize
124KB

Download
memory/3560-222-0x0000000006B50000-0x0000000006B5C000-memory.dmp

Filesize
48KB

Download
memory/3560-225-0x0000000006B50000-0x0000000006B5C000-memory.dmp

Filesize
48KB

Download
memory/3560-221-0x0000000006C70000-0x0000000006D24000-memory.dmp

Filesize
720KB

Download
memory/3560-218-0x0000000006C70000-0x0000000006D24000-memory.dmp

Filesize
720KB

Download
memory/3560-215-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3560-214-0x0000000009F30000-0x000000000AB18000-memory.dmp

Filesize
11.9MB

Download
memory/3560-211-0x0000000009F30000-0x000000000AB18000-memory.dmp

Filesize
11.9MB

Download
memory/3560-208-0x0000000008DC0000-0x0000000009F2F000-memory.dmp

Filesize
17.4MB

Download
memory/3560-195-0x0000000008DC0000-0x0000000009F2F000-memory.dmp

Filesize
17.4MB

Download
memory/3560-196-0x0000000000520000-0x0000000000D48000-memory.dmp

Filesize
8.2MB

Download
memory/3560-194-0x00000000072B0000-0x0000000007C39000-memory.dmp

Filesize
9.5MB

Download
memory/3560-191-0x00000000072B0000-0x0000000007C39000-memory.dmp

Filesize
9.5MB

Download