agenttesla | 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3

Analysis

max time kernel
147s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
Size

858KB
MD5

ab816e184fb037214548c813795ede45
SHA1

19ee539d547e67119f0314a261c7220bf5a8399f
SHA256

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3
SHA512

70464e04a7c6777836c35354b5e28ea3fa41adbb498d268756d42b341752962fb055769302cc17cc38ea1c19c053dda0c9f8b3fb469fdfb7993802d2f875a933
SSDEEP

24576:/EN973phvt8tmUdkw1xG8fFjGMaOnO+pwFL9N09PPP:/EN973PvEL2wHBODLcPX

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1316-1-0x0000000000130000-0x000000000018E000-memory.dmp	family_agenttesla
behavioral2/memory/2996-106-0x0000000000400000-0x000000000045E000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemighost.exemighost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	mighost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	mighost.exe

Executes dropped EXE 4 IoCs

Processes:

mighost.exemighost.exemighost.exemighost.exe

pid process

220 mighost.exe
2996 mighost.exe
388 mighost.exe
1596 mighost.exe

pid	process
220	mighost.exe
2996	mighost.exe
388	mighost.exe
1596	mighost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/644-0-0x0000000000860000-0x00000000009FE000-memory.dmp	upx
behavioral2/memory/1316-7-0x0000000000860000-0x00000000009FE000-memory.dmp	upx
behavioral2/memory/644-32-0x0000000000860000-0x00000000009FE000-memory.dmp	upx
behavioral2/memory/644-49-0x0000000000860000-0x00000000009FE000-memory.dmp	upx
C:\Users\Admin\cdp\mighost.exe	upx
behavioral2/memory/220-104-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx
behavioral2/memory/2996-112-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx
behavioral2/memory/220-121-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx
behavioral2/memory/220-140-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx
behavioral2/memory/388-176-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx
behavioral2/memory/388-215-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx
behavioral2/memory/388-218-0x0000000000950000-0x0000000000AEE000-memory.dmp	upx

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/644-32-0x0000000000860000-0x00000000009FE000-memory.dmp	autoit_exe
behavioral2/memory/644-49-0x0000000000860000-0x00000000009FE000-memory.dmp	autoit_exe
behavioral2/memory/220-104-0x0000000000950000-0x0000000000AEE000-memory.dmp	autoit_exe
behavioral2/memory/220-121-0x0000000000950000-0x0000000000AEE000-memory.dmp	autoit_exe
behavioral2/memory/220-140-0x0000000000950000-0x0000000000AEE000-memory.dmp	autoit_exe
behavioral2/memory/388-215-0x0000000000950000-0x0000000000AEE000-memory.dmp	autoit_exe
behavioral2/memory/388-218-0x0000000000950000-0x0000000000AEE000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemighost.exemighost.exe

description	pid	process	target process
PID 644 set thread context of 1316	644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 220 set thread context of 2996	220	mighost.exe	mighost.exe
PID 388 set thread context of 1596	388	mighost.exe	mighost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4460 schtasks.exe
880 schtasks.exe
2176 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

3040 msedge.exe
3040 msedge.exe
1448 msedge.exe
1448 msedge.exe
3660 identity_helper.exe
3660 identity_helper.exe
2952 msedge.exe
2952 msedge.exe
2952 msedge.exe
2952 msedge.exe

pid	process
4460	schtasks.exe
880	schtasks.exe
2176	schtasks.exe

pid	process
3040	msedge.exe
3040	msedge.exe
1448	msedge.exe
1448	msedge.exe
3660	identity_helper.exe
3660	identity_helper.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemsedge.exemighost.exemighost.exe

pid	process
644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
220	mighost.exe
220	mighost.exe
220	mighost.exe
388	mighost.exe
388	mighost.exe
388	mighost.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemsedge.exemighost.exemighost.exe

pid	process
644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
220	mighost.exe
220	mighost.exe
220	mighost.exe
388	mighost.exe
388	mighost.exe
388	mighost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemsedge.exe

description	pid	process	target process
PID 644 wrote to memory of 1316	644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 644 wrote to memory of 1316	644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 644 wrote to memory of 1316	644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 644 wrote to memory of 1316	644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 644 wrote to memory of 1316	644	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 1316 wrote to memory of 1448	1316	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	msedge.exe
PID 1316 wrote to memory of 1448	1316	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	msedge.exe
PID 1448 wrote to memory of 4256	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4256	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2060	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3040	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3040	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2096	1448	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
"C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
"C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
4⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
4⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
4⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
4⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
4⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
4⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
4⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
4⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
4⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
4⤵
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
4⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
4⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
4⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
4⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
4⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
4⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
4⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
4⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
4⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
4⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
4⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
4⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5412 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
4⤵
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220

C:\Users\Admin\cdp\mighost.exe
"C:\Users\Admin\cdp\mighost.exe"
2⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
4⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
4⤵
PID:3412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:388

C:\Users\Admin\cdp\mighost.exe
"C:\Users\Admin\cdp\mighost.exe"
2⤵
- Executes dropped EXE
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
4⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
4⤵
PID:4784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c875062a122b471654601b9fc34bd9d7

SHA1
95e2630dd275ab116851ab9d15a4431cb448441c

SHA256
49065a2cc3cc4e4ca43dde5958149ab1fa16c87c409f01f4b52f72f15fb10972

SHA512
f1ec30337678eee26d67766db1e26e2f8296d0a5c7b03cd8a7423f403e8f48625fdb2d077899399c1b526af4da28fbd8b1363783fb1288d8bcc6fbb413980233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
344f0058b0a474083a135094fc82c5cb

SHA1
53d66635a0c8402a25c8b3deb6b8e986bf501c5a

SHA256
235093ad929ed2d80327de00fed648e39720a4978dc31358f5021fca37235dad

SHA512
a9ad572a0c34b324c39e6b8f677b44b279a5d80ee788159a50171af063371682ae38e3042ac3da21c339114281e7280bbb457308a7ed0a1d83e4fce79538dc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
9270f7133f52cde354c8104aa55053a7

SHA1
ce1d7c054f89602cb75fb565373eb89bd7a9d4d5

SHA256
055ea5b3b0513e011a9d8bd3d76a44e07e7bdb8054712f4bfcd4dfd42d5f51ac

SHA512
2896acaab10b6501ea879ce3b10ace2cab701190a02586ffb74af6d3b8837c6d6b3aef030c971e2c35dd8870139c96eb9ba29f77f09d376cc469057ce23aa92c

Download Submit
C:\Users\Admin\cdp\mighost.exe
Filesize
858KB

MD5
ee700f0fb6ef98edeffcd02d07d70dd7

SHA1
33a8403b3528471be660c940a4155a0393a0f0bc

SHA256
2cb84f35f185872f50c03cd64b6d2cb85fb9a92575d75341b334197ef450ba74

SHA512
59a2b0da3c8da8ea6082b842575d5131962667d7b93c060ffdc5649cb088be8804479aabe7ae0ecae77bd8132f929a5ad3074faad8f3cfafc9a9506d5ceec328

Download Submit
\??\pipe\LOCAL\crashpad_1448_SXCSUNWYJEFBGVAK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-140-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download
memory/220-104-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download
memory/220-121-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download
memory/388-176-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download
memory/388-215-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download
memory/388-218-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-49-0x0000000000860000-0x00000000009FE000-memory.dmp

Filesize
1.6MB

Download
memory/644-0-0x0000000000860000-0x00000000009FE000-memory.dmp

Filesize
1.6MB

Download
memory/644-32-0x0000000000860000-0x00000000009FE000-memory.dmp

Filesize
1.6MB

Download
memory/644-6-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1316-1-0x0000000000130000-0x000000000018E000-memory.dmp

Filesize
376KB

Download
memory/1316-7-0x0000000000860000-0x00000000009FE000-memory.dmp

Filesize
1.6MB

Download
memory/2996-106-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2996-112-0x0000000000950000-0x0000000000AEE000-memory.dmp

Filesize
1.6MB

Download