Analysis
-
max time kernel
12s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
2f3c9be60064deb5a63a27f1c4e50cc0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2f3c9be60064deb5a63a27f1c4e50cc0.exe
Resource
win10v2004-20231215-en
General
-
Target
2f3c9be60064deb5a63a27f1c4e50cc0.exe
-
Size
6.2MB
-
MD5
2f3c9be60064deb5a63a27f1c4e50cc0
-
SHA1
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
-
SHA256
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
SHA512
6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
-
SSDEEP
98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
777
195.20.16.103:20440
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1328-486-0x0000000000440000-0x0000000000BD2000-memory.dmp family_zgrat_v1 -
Processes:
2pX3090.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 2pX3090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 2pX3090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 2pX3090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" 2pX3090.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 2pX3090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 2pX3090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 2pX3090.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5212-621-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Drops startup file 1 IoCs
Processes:
2pX3090.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2pX3090.exe -
Executes dropped EXE 6 IoCs
Processes:
Xj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exe1dP82wv5.exe2pX3090.exepid process 464 Xj6Hl21.exe 1080 SP4Rr42.exe 404 Qf8gp08.exe 1368 Vr8oH09.exe 3604 1dP82wv5.exe 224 2pX3090.exe -
Loads dropped DLL 1 IoCs
Processes:
2pX3090.exepid process 224 2pX3090.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1328-486-0x0000000000440000-0x0000000000BD2000-memory.dmp themida -
Processes:
2pX3090.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2pX3090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2pX3090.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
2pX3090.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2pX3090.exe Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2pX3090.exe Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2pX3090.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
2pX3090.exe2f3c9be60064deb5a63a27f1c4e50cc0.exeXj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 2pX3090.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2f3c9be60064deb5a63a27f1c4e50cc0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Xj6Hl21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" SP4Rr42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Qf8gp08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Vr8oH09.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
2pX3090.exepid process 224 2pX3090.exe 224 2pX3090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 936 224 WerFault.exe 2pX3090.exe 2632 3960 WerFault.exe 59C3.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3468 schtasks.exe 5232 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
CompPkgSrv.exemsedge.exemsedge.exebackgroundTaskHost.exepowershell.exeidentity_helper.exepid process 4908 CompPkgSrv.exe 4908 CompPkgSrv.exe 412 msedge.exe 412 msedge.exe 1020 msedge.exe 1020 msedge.exe 1968 backgroundTaskHost.exe 1968 backgroundTaskHost.exe 4700 powershell.exe 4700 powershell.exe 4700 powershell.exe 5688 identity_helper.exe 5688 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2pX3090.exepowershell.exedescription pid process Token: SeDebugPrivilege 224 2pX3090.exe Token: SeDebugPrivilege 4700 powershell.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
1dP82wv5.exemsedge.exepid process 3604 1dP82wv5.exe 3604 1dP82wv5.exe 3604 1dP82wv5.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
1dP82wv5.exemsedge.exepid process 3604 1dP82wv5.exe 3604 1dP82wv5.exe 3604 1dP82wv5.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2pX3090.exepid process 224 2pX3090.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f3c9be60064deb5a63a27f1c4e50cc0.exeXj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exe1dP82wv5.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 856 wrote to memory of 464 856 2f3c9be60064deb5a63a27f1c4e50cc0.exe Xj6Hl21.exe PID 856 wrote to memory of 464 856 2f3c9be60064deb5a63a27f1c4e50cc0.exe Xj6Hl21.exe PID 856 wrote to memory of 464 856 2f3c9be60064deb5a63a27f1c4e50cc0.exe Xj6Hl21.exe PID 464 wrote to memory of 1080 464 Xj6Hl21.exe SP4Rr42.exe PID 464 wrote to memory of 1080 464 Xj6Hl21.exe SP4Rr42.exe PID 464 wrote to memory of 1080 464 Xj6Hl21.exe SP4Rr42.exe PID 1080 wrote to memory of 404 1080 SP4Rr42.exe Qf8gp08.exe PID 1080 wrote to memory of 404 1080 SP4Rr42.exe Qf8gp08.exe PID 1080 wrote to memory of 404 1080 SP4Rr42.exe Qf8gp08.exe PID 404 wrote to memory of 1368 404 Qf8gp08.exe Vr8oH09.exe PID 404 wrote to memory of 1368 404 Qf8gp08.exe Vr8oH09.exe PID 404 wrote to memory of 1368 404 Qf8gp08.exe Vr8oH09.exe PID 1368 wrote to memory of 3604 1368 Vr8oH09.exe 1dP82wv5.exe PID 1368 wrote to memory of 3604 1368 Vr8oH09.exe 1dP82wv5.exe PID 1368 wrote to memory of 3604 1368 Vr8oH09.exe 1dP82wv5.exe PID 3604 wrote to memory of 4188 3604 1dP82wv5.exe msedge.exe PID 3604 wrote to memory of 4188 3604 1dP82wv5.exe msedge.exe PID 3604 wrote to memory of 3624 3604 1dP82wv5.exe msedge.exe PID 3604 wrote to memory of 3624 3604 1dP82wv5.exe msedge.exe PID 4188 wrote to memory of 4560 4188 msedge.exe msedge.exe PID 4188 wrote to memory of 4560 4188 msedge.exe msedge.exe PID 3624 wrote to memory of 3800 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3800 3624 msedge.exe msedge.exe PID 3604 wrote to memory of 1020 3604 1dP82wv5.exe msedge.exe PID 3604 wrote to memory of 1020 3604 1dP82wv5.exe msedge.exe PID 1020 wrote to memory of 4200 1020 msedge.exe msedge.exe PID 1020 wrote to memory of 4200 1020 msedge.exe msedge.exe PID 1368 wrote to memory of 224 1368 Vr8oH09.exe 2pX3090.exe PID 1368 wrote to memory of 224 1368 Vr8oH09.exe 2pX3090.exe PID 1368 wrote to memory of 224 1368 Vr8oH09.exe 2pX3090.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4964 3624 msedge.exe msedge.exe -
outlook_office_path 1 IoCs
Processes:
2pX3090.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2pX3090.exe -
outlook_win_path 1 IoCs
Processes:
2pX3090.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2pX3090.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f3c9be60064deb5a63a27f1c4e50cc0.exe"C:\Users\Admin\AppData\Local\Temp\2f3c9be60064deb5a63a27f1c4e50cc0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Wo403IN.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Wo403IN.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 30884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hL78Uj.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hL78Uj.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa8b7046f8,0x7ffa8b704708,0x7ffa8b7047181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:11⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,12030663262625212714,11795744533774151453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:31⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,12030663262625212714,11795744533774151453,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,729738035800962710,5390788620099715950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,17396043382964286850,6179773827910318054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:31⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,17396043382964286850,6179773827910318054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffa8b7046f8,0x7ffa8b704708,0x7ffa8b7047181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa8b7046f8,0x7ffa8b704708,0x7ffa8b7047181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 224 -ip 2241⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\59C3.exeC:\Users\Admin\AppData\Local\Temp\59C3.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 11282⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14279301223465236244,252766601139502448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12465251122350286755,18063161220363618862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:84⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3960 -ip 39601⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b7046f8,0x7ffa8b704708,0x7ffa8b7047181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa8b7046f8,0x7ffa8b704708,0x7ffa8b7047181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\7DD2.exeC:\Users\Admin\AppData\Local\Temp\7DD2.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\890E.exeC:\Users\Admin\AppData\Local\Temp\890E.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD544289a5e95fa0801108ea13d88500e31
SHA12f77bfeea9d27a7511f196b7a968504a019d28ca
SHA25663605adc5437aab1598734634bedbcabe57543d9bd59bcb5ac926e5073238167
SHA512292f046b7708410a02aeb24e01c772a0dd04dee8306e7dcbf916c689e5f2a33b2f443b38d43ffd219ae2ffad2640917414859459c360634019cd3741f5134899
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5405ae43792ad79979bde7ec47b394e63
SHA165d0d307619d3728956a3306416193781c830507
SHA2560186a531283ff51896662569c3cea449d5810a4ee32cc310850db6c0423e3a8e
SHA5128b0fb3df1c415e9aab05ac1673f3c3d77c7d616739cd24f8d27cea093fb2f494f4e0a7113cfa6003a509ecda692972df9c786f2d60f3b0fa3f185c6856dd45df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\041d0b61-698f-4818-b747-b94b41378b27.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5a29749ede007b0eab7bb145e7d90d2ee
SHA1ba03a465e71221f975f668ff46c2b23a617dafea
SHA2561cc828fad5ba7703a8214e5040201057231f440b22d71228bd7ab4203d2ee9ef
SHA512eaffb831da61d7c736f134d8a4568d1de4a56c569a0577a54c4b86fc0a244e26bf5df9258b2587873c77a4df1310225f3407b6f85b1803dadf95f116b326d25b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
28KB
MD5dac2b5ccd08ac2f7e4dcda9faeb9efea
SHA1de1c9c405eb66db61863ee9e2270233a44a46154
SHA256377b2a97669ea05f7106fb8be8f9a07cab13287885bd640319d8573227c72b76
SHA5120fbf818b214480fdfb02b71ac267f1563409b94b906e04767a16ef3a6cc6027fc930af7cbc29ffd4e7c9201713e3b6322db9469a7298148e92b270540679cc11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD5f91db52e761a3b5d7d72d49ccf977c99
SHA18822f8629563ba2efd6ced0af1c2a2bd11eda97f
SHA256ba57eb2c958f2fed495076bbd575555325adce6e7ee3938acadce2eb20d0267e
SHA512c71925dfb60e4f9c485f14140f9fc06895f181fa7a4d6d737e1c0ca9d6c3eed55135f4aabe348bd56b51237ad9844c922c52295cb5373c823ffff9f9db00d716
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journalFilesize
8KB
MD59c9c8818f6fb95fb079f2cc0810eee6a
SHA1692c76cd0e3496c6715a450eb58fea8cb835611a
SHA2565d377f1cb10810d1b838e4a4d5ee8549b3c0305a2257f4bd30c3001730ab2cd9
SHA51280cd452fe4786ea8d7dd84d311c91ac0724d27f07b13fbdba25cd1ffde82e253a929a7d4950a9059bbf79e984247fd327827875d7495a274afb424b83efb4605
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5202b9d04ecbfbd8ee064b5b1c33fc6b8
SHA13ea7d19af09f45c0789445fb136697cf1db4cda9
SHA256b9bbf4235c36a9d4353057e1d5d7bd237f47cd98595d76f886a4c76166732815
SHA512bdbc88cdf100637c099567cf268a2f2b52c4859f1ee5e384f00a441e18defc1248afe0727c4673507f25fa11dad0932de07c0082ef8428fb07511f1514062337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5186a2b5609759e276ecc50a8dbdf1f5e
SHA12f163f2036020b19a7f320bbf9b3511ef697052b
SHA2567284b041b8be3818808cee03ff41ed7d045b6f9984d1c63be228cfb626b967a8
SHA512bb8006edc61ed0544fa47c9ada34e093d235fbb4df9b579798b2cf6bfabd85e51b358908a2a29fbe9f8abb5d77950f25a7101be94563f4e1b3106de2248c97fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d9f4d84b996e7fa42a337d05f6a16410
SHA1247522c28a77b1ad68f657d3493b3e7173d4126d
SHA25644748bdeda848f41c2e00481430ef751330201e9a6b2c9969952ed1d2013ddb1
SHA512dba5ccaf18813b45ef8f3287de7c2067d1498a1a9f8561a3df09e8120a4784b744ec5552ae455b4bfa45cdaf438ef4190ceb8b4fdb448b7c2d63e19af10ef180
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD56db2d2ceb22a030bd1caa72b32cfbf98
SHA1fe50f35e60f88624a28b93b8a76be1377957618b
SHA2567b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD566f9eb2bb6b27d19d1903ae686e58c97
SHA1cc7459ae1b4b5692a4b491601b3bd990181e7bb8
SHA256847435cdf1268f8f5cafff2a112de527af4860737cbe56b28137d09ec7074c90
SHA512f663fd06a4c02f8603d447704f716cb5c4bdb2f4417b2897d3006a710324e37a153fe115e2aa1260ae8700a8bd8d5cc4a0f0bb60d8d9db0fe11b990e19444c0a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5df550249f1e5e3b739568cfaab053e24
SHA13bb8f97e0a94c68b458b489d79b080284692cea8
SHA2565bfb2e5ffbdb4f1af9fd85ee75a134db409c2455b1e3cae0a6f5c80dcb6ba480
SHA51227140f5bd5bfc365b53c1c8ada3fca938a0653453de6b25c521eda801fd0608eec1c8ff67435a3db2ab3144325d15f0f37e6f7c67421c6504fad6a259ba424e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exeFilesize
1024KB
MD5f506c5d2b5d763e530e7eb8afaf72d2d
SHA1ea349dff020f6dfe0af8ed74ca16f58d55b049d9
SHA2560e85f083491aec7565eae07156d173e4f0e8f7fc5cb3915ff0a459268b58ec3e
SHA512ae9dd8296e25586766320c98eb7663a3199a653f6188710f07746641453ae35044c633a224bdaf817f9b0df4b5887dd685254d92c18dd7f0db7d3cd9f035ecb3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exeFilesize
98KB
MD58e2ace9343c0f1de695489105e56c67e
SHA152ed5bc402c66cf30f0b9688d0aa8ae49622e0da
SHA25684bb28266d378412f570789380fb4691ceb6aee689f68ece2665003bd9ec4f13
SHA51265c4f07f6df164d49cfa971e558b65d50c267a6cd75f834ced67ee6ff11691124c223cd8a3f46e78b0ce54004ba34caf92cb207e3d20e01fd69727cff4c7a210
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exeFilesize
93KB
MD5e42e6b1d4c7b6505fb115391736f1b1a
SHA1ddabde216940b6f56430d4f587493ba25436be28
SHA25638f7aa910dbbcfc314df7fa68963862d41c0197b05cf180d328aa3f46d2b086b
SHA512b971075db5cedaea4db4f23c55c9fcc10e4d080a3cd8267ecf505a5ba3377e2d88f16a34e78c24f8789f14809d270730a931ff16435e16b38774e0ad322b72ac
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exeFilesize
92KB
MD510c7043a47a950e0b216136584844ee6
SHA1267fc0b15caa614e84a9b3b334fb8b3324a85090
SHA25675750a0edb2a7888165f11b28a4f3b9f4943933fa1ceccd69c32ffc278d3ca4f
SHA512b69b2dbbb802586ac7eab6f7a018c2c818d1e85fa6be4258bd42ee8932f9a77758bbad4b5b04cf417ff1458276bfe5ab7b19862ab5e0b7b228b23a285420e730
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exeFilesize
128KB
MD5b8b603ba5efe69058d5aef5736f46dca
SHA10803db9049a2e57c3c50cb645ad0d5a6ddea25b1
SHA256efb7fc04df18fb46a39a56dd2ac95411308ab2fd9c2630def1348569d76f5a7f
SHA51236a4229858872eaf08e66dfdd0252cdd3661d411a99e9e2bf78c3fc7eb21f8e1b40d6c778d29b2aded0ad770ec7bfd64085ba9cb2e13cd0a61448c6371e1d5a3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-60-0x0000000008740000-0x00000000087B6000-memory.dmpFilesize
472KB
-
memory/224-59-0x0000000000340000-0x000000000079E000-memory.dmpFilesize
4.4MB
-
memory/224-48-0x0000000000340000-0x000000000079E000-memory.dmpFilesize
4.4MB
-
memory/224-466-0x0000000000340000-0x000000000079E000-memory.dmpFilesize
4.4MB
-
memory/224-450-0x0000000000340000-0x000000000079E000-memory.dmpFilesize
4.4MB
-
memory/224-358-0x000000000A870000-0x000000000ABC4000-memory.dmpFilesize
3.3MB
-
memory/224-343-0x0000000009880000-0x000000000989E000-memory.dmpFilesize
120KB
-
memory/1328-504-0x0000000008710000-0x0000000008C3C000-memory.dmpFilesize
5.2MB
-
memory/1328-490-0x00000000057C0000-0x00000000057FC000-memory.dmpFilesize
240KB
-
memory/1328-533-0x0000000000440000-0x0000000000BD2000-memory.dmpFilesize
7.6MB
-
memory/1328-503-0x0000000008010000-0x00000000081D2000-memory.dmpFilesize
1.8MB
-
memory/1328-501-0x0000000006B70000-0x0000000007114000-memory.dmpFilesize
5.6MB
-
memory/1328-502-0x00000000066D0000-0x0000000006762000-memory.dmpFilesize
584KB
-
memory/1328-537-0x0000000076A20000-0x0000000076B10000-memory.dmpFilesize
960KB
-
memory/1328-536-0x0000000076A20000-0x0000000076B10000-memory.dmpFilesize
960KB
-
memory/1328-535-0x0000000076A20000-0x0000000076B10000-memory.dmpFilesize
960KB
-
memory/1328-487-0x0000000005EA0000-0x00000000064B8000-memory.dmpFilesize
6.1MB
-
memory/1328-491-0x0000000005800000-0x000000000584C000-memory.dmpFilesize
304KB
-
memory/1328-508-0x00000000072D0000-0x0000000007320000-memory.dmpFilesize
320KB
-
memory/1328-478-0x0000000000440000-0x0000000000BD2000-memory.dmpFilesize
7.6MB
-
memory/1328-480-0x0000000076A20000-0x0000000076B10000-memory.dmpFilesize
960KB
-
memory/1328-481-0x0000000076A20000-0x0000000076B10000-memory.dmpFilesize
960KB
-
memory/1328-482-0x00000000772F4000-0x00000000772F6000-memory.dmpFilesize
8KB
-
memory/1328-479-0x0000000076A20000-0x0000000076B10000-memory.dmpFilesize
960KB
-
memory/1328-486-0x0000000000440000-0x0000000000BD2000-memory.dmpFilesize
7.6MB
-
memory/1328-489-0x0000000005990000-0x0000000005A9A000-memory.dmpFilesize
1.0MB
-
memory/1328-488-0x0000000005760000-0x0000000005772000-memory.dmpFilesize
72KB
-
memory/3416-471-0x0000000002BD0000-0x0000000002BE6000-memory.dmpFilesize
88KB
-
memory/3960-604-0x0000000074000000-0x00000000747B0000-memory.dmpFilesize
7.7MB
-
memory/3960-563-0x0000000074000000-0x00000000747B0000-memory.dmpFilesize
7.7MB
-
memory/3960-607-0x00000000066F0000-0x0000000006882000-memory.dmpFilesize
1.6MB
-
memory/3960-613-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/3960-614-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/3960-615-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/3960-605-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/3960-606-0x00000000052E0000-0x00000000055BA000-memory.dmpFilesize
2.9MB
-
memory/3960-562-0x0000000000200000-0x00000000005C6000-memory.dmpFilesize
3.8MB
-
memory/3960-564-0x0000000004ED0000-0x0000000004F6C000-memory.dmpFilesize
624KB
-
memory/4568-470-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4568-472-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4700-207-0x0000000007160000-0x00000000071F6000-memory.dmpFilesize
600KB
-
memory/4700-201-0x0000000006EE0000-0x0000000006EFA000-memory.dmpFilesize
104KB
-
memory/4700-181-0x000000007F750000-0x000000007F760000-memory.dmpFilesize
64KB
-
memory/4700-193-0x0000000006160000-0x000000000617E000-memory.dmpFilesize
120KB
-
memory/4700-213-0x00000000070E0000-0x00000000070F1000-memory.dmpFilesize
68KB
-
memory/4700-223-0x0000000007110000-0x000000000711E000-memory.dmpFilesize
56KB
-
memory/4700-227-0x0000000007220000-0x000000000723A000-memory.dmpFilesize
104KB
-
memory/4700-228-0x0000000007200000-0x0000000007208000-memory.dmpFilesize
32KB
-
memory/4700-96-0x0000000004610000-0x0000000004646000-memory.dmpFilesize
216KB
-
memory/4700-226-0x0000000007120000-0x0000000007134000-memory.dmpFilesize
80KB
-
memory/4700-231-0x00000000738E0000-0x0000000074090000-memory.dmpFilesize
7.7MB
-
memory/4700-204-0x0000000006F50000-0x0000000006F5A000-memory.dmpFilesize
40KB
-
memory/4700-200-0x0000000007520000-0x0000000007B9A000-memory.dmpFilesize
6.5MB
-
memory/4700-182-0x0000000006180000-0x00000000061B2000-memory.dmpFilesize
200KB
-
memory/4700-194-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4700-195-0x0000000006D90000-0x0000000006E33000-memory.dmpFilesize
652KB
-
memory/4700-183-0x000000006FF70000-0x000000006FFBC000-memory.dmpFilesize
304KB
-
memory/4700-97-0x00000000738E0000-0x0000000074090000-memory.dmpFilesize
7.7MB
-
memory/4700-138-0x0000000005C60000-0x0000000005CAC000-memory.dmpFilesize
304KB
-
memory/4700-128-0x0000000005BB0000-0x0000000005BCE000-memory.dmpFilesize
120KB
-
memory/4700-127-0x0000000005830000-0x0000000005B84000-memory.dmpFilesize
3.3MB
-
memory/4700-121-0x00000000054C0000-0x0000000005526000-memory.dmpFilesize
408KB
-
memory/4700-122-0x00000000055A0000-0x0000000005606000-memory.dmpFilesize
408KB
-
memory/4700-115-0x0000000005420000-0x0000000005442000-memory.dmpFilesize
136KB
-
memory/4700-114-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4700-113-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4700-98-0x0000000004DB0000-0x00000000053D8000-memory.dmpFilesize
6.2MB
-
memory/5212-621-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB