modiloader | hxxps://cassiaatammetalsllc-my[.]sharepoint[.]com/[:]u[:]/g/personal/adelina_cassia_ae/ETGMyGSYf1xKoWkGEBChfdoB4u5gHI6YiIHyPRgZ8LAdpA?e=I0GKza&download=1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cassiaatammetalsllc-my.sharepoint.com/:u:/g/personal/adelina_cassia_ae/ETGMyGSYf1xKoWkGEBChfdoB4u5gHI6YiIHyPRgZ8LAdpA?e=I0GKza&download=1

Score

10^/10

modiloader collection discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 59 IoCs

resource	yara_rule
behavioral1/memory/4052-102-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-108-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-112-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-116-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-124-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-142-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-168-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-166-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-164-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-163-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-162-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-160-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-159-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-158-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-157-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-155-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-154-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-153-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-152-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-151-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-150-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-147-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-149-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-148-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-146-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-144-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-143-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-137-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-136-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-135-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-167-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-134-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-165-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-133-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-161-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-132-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-156-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-129-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-126-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-145-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-125-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-141-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-140-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-123-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-139-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-138-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-122-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-121-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-120-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-131-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-130-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-119-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-128-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-118-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-127-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-117-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-115-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-114-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2
behavioral1/memory/4052-113-0x0000000002DD0000-0x0000000003DD0000-memory.dmp	modiloader_stage2

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4052	PO-367589-234768-2024.pif
2580	PO-367589-234768-2024.pif

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jvmssixm = "C:\\Users\\Public\\Jvmssixm.url"	PO-367589-234768-2024.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5628 set thread context of 5780	5628	SndVol.exe	136
PID 5628 set thread context of 5464	5628	SndVol.exe	138
PID 5628 set thread context of 3780	5628	SndVol.exe	139

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO-367589-234768-2024.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO-367589-234768-2024.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 164873.crdownload:SmartScreen	msedge.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
2260	msedge.exe
2260	msedge.exe
2644	identity_helper.exe
2644	identity_helper.exe
1616	msedge.exe
1616	msedge.exe
4052	PO-367589-234768-2024.pif
4052	PO-367589-234768-2024.pif
2580	PO-367589-234768-2024.pif
2580	PO-367589-234768-2024.pif
5780	SndVol.exe
5780	SndVol.exe
3780	SndVol.exe
3780	SndVol.exe
5780	SndVol.exe
5780	SndVol.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5628	SndVol.exe
5628	SndVol.exe
5628	SndVol.exe
5628	SndVol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	SndVol.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
5628	SndVol.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
5628	SndVol.exe
5628	SndVol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2376	2260	msedge.exe	83
PID 2260 wrote to memory of 2376	2260	msedge.exe	83
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 4716	2260	msedge.exe	84
PID 2260 wrote to memory of 3976	2260	msedge.exe	85
PID 2260 wrote to memory of 3976	2260	msedge.exe	85
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86
PID 2260 wrote to memory of 2920	2260	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cassiaatammetalsllc-my.sharepoint.com/:u:/g/personal/adelina_cassia_ae/ETGMyGSYf1xKoWkGEBChfdoB4u5gHI6YiIHyPRgZ8LAdpA?e=I0GKza&download=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa333046f8,0x7ffa33304708,0x7ffa33304718
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1376 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Users\Admin\Downloads\PO-367589-234768-2024.pif
  "C:\Users\Admin\Downloads\PO-367589-234768-2024.pif"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- - C:\Windows\SysWOW64\SndVol.exe
    C:\Windows\System32\SndVol.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5628
  - - C:\Windows\SysWOW64\SndVol.exe
      C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\msxmtrurtliuwzqjpfyebd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5780
  - - C:\Windows\SysWOW64\SndVol.exe
      C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\wudxukfthtazhnmnyqtyeiduc"
      4⤵
      PID:5916
  - - C:\Windows\SysWOW64\SndVol.exe
      C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\wudxukfthtazhnmnyqtyeiduc"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:5464
  - - C:\Windows\SysWOW64\SndVol.exe
      C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zpqqvcpmvbsejtarpagzpvydldon"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,9271504197569492967,13738051356105118176,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1232

C:\Users\Admin\Downloads\PO-367589-234768-2024.pif
"C:\Users\Admin\Downloads\PO-367589-234768-2024.pif"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5224
- C:\Windows\SysWOW64\SndVol.exe
  C:\Windows\System32\SndVol.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
205B

MD5
c71430a6ab60798cc3a15378d56f90ad

SHA1
db958b0cc3055c0d0497158627480b7ff5eaaba0

SHA256
929ad816ef7476b6bbce3436db1bb6ad64657576c68c292858f4b19351470f5e

SHA512
804360155498816fdd354b6550a930a7225b0de7f4d7131fbcde86ffcee1b45d18934556f3ce30acb47ea0e82bfab47df03e1b2524fbb153f1e5b57365901b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3261f16bec0da100e1b7c63f1a3a296

SHA1
e5a2f501f9d53ba9f0db7571179109802f2b0fc5

SHA256
5094db06cb3c442ec72fa2792bbf033be6a8ec1d2728bac52dbaec46bbfcb4cb

SHA512
f9ffdcc27263f3bf5116cda01bdafdd31a91d409dce3a3467bd38bb841b55ab8752c4155a3d1dfd90923784110ca305eea656a252c11d60208d2fa4d9dfb8ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbc38745c07f79e6e5d54f48d5f98611

SHA1
8088bfcb0dbd88a1ee30d24a85e593997072b292

SHA256
346f18a81e4b1292cc1dd2b03656914da04282111116c52d183484871f267669

SHA512
124dc9726fe7ba9cf8e7fd2f58ed110bad0aa7bf6a56bae10e54f0ea3611ae60debb92c16f26c3559ed04573dd7e17fd2e5abce251a7b717293bf3a51e66ce75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dbffcb3883b073a18b979b23071429f8

SHA1
4a9f7fc34d836cf458ece7988ca97e87144e257c

SHA256
6c5a2a1a1b4c045ca9ae7bfe26209931fabcca9f558e80c33f07e7897b17f863

SHA512
8568fd48818c24b76fe4e285142eb13ed999b4a98dad689a54119c4ff164927ed01cbe5df73e296a30ee4631b27fb7d59c03697daff293643d493bb540e6b388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
adac0a54296bf77cf1563cf020eca142

SHA1
d82ed461f54621e6ed27bace6c9801863541134c

SHA256
8bf20543f06a7549573d6b3faaa3bd8ec2914903c704710c45258ba4aafb52d1

SHA512
4fe218ff57682d7787325b7abc1a3f8a95eb3ff8e1089ec69fdec8bfc2168433c7a08050d5ec9b0aa71fad15607f6a57243463a51c0de1f8fce4e2e857348dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c755bb85d817df51664102f00d3a50a

SHA1
3881255f8dae6c3ab4c55bfeb9f207896516eaef

SHA256
8606fa8781fc9ea591dc28a2cbf90e0485bd12b655fa01694eb087a3a4e1d74a

SHA512
230a9a52ff9c8220f4354dcbf54266834ae2e7101de04010b9eb1ed81b4c706b716820d91f62527dd301baa17b87a818c874d78eb48b674aad3bd3d9b3792472

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxmtrurtliuwzqjpfyebd

Filesize
4KB

MD5
16dfb23eaa7972c59c36fcbc0946093b

SHA1
1e9e3ff83a05131575f67e202d352709205f20f8

SHA256
36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c

SHA512
a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 164873.crdownload

Filesize
1.3MB

MD5
a464fb8719fb5230e4f4e7579d91927b

SHA1
42e3f61c947f2b9b0d8b23b7cd41cb5541e777ab

SHA256
a2cdbb92a825919b6394b1512c49b20259ac72d45178e3d463d399c6b0dd554e

SHA512
7635fab336f88248e76f467f5c8559b87e1c2f4556724e586cd5eb5741d33021cbbc45e26f4ef91f03bf509a2de1afaf7aabc748434c753b2bd7c7531798fc72

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
60cd0be570decd49e4798554639a05ae

SHA1
bd7bed69d9ab9a20b5263d74921c453f38477bcb

SHA256
ca6a6c849496453990beceef8c192d90908c0c615fa0a1d01bcd464bad6966a5

SHA512
ab3dbdb4ed95a0cb4072b23dd241149f48ecff8a69f16d81648e825d9d81a55954e5dd9bc46d3d7408421df30c901b9ad1385d1e70793fa8d715c86c9e800c57

Download Submit
memory/2580-108-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-148-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-134-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-124-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-142-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-168-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-166-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-164-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-163-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-162-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-160-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-159-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-158-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-157-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-155-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-154-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-153-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-152-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-151-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-150-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-147-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-149-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-112-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-146-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-144-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-143-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-137-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-136-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-135-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-167-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-116-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-165-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-133-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-161-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-132-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-156-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-129-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-126-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-145-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-125-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-141-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-140-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-123-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-139-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-138-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-122-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-121-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-120-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-131-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-130-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-119-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-128-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-118-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-127-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-117-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-115-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-114-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-110-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/4052-102-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-101-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4052-113-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download