warzonerat | hxxp://www[.]github[.]com

Analysis

max time kernel
268s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.github.com

Score

10^/10

warzonerat infostealer rat rezer0 upx

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/3152-854-0x00000000051C0000-0x00000000051E8000-memory.dmp	rezer0

Warzone RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-861-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/1956-864-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/1956-866-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3068-886-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3068-887-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/5084-915-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/5084-916-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/1956-917-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe

Executes dropped EXE 6 IoCs

Processes:

WarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeBlueScreen.exeBlueScreen.exeNostart.exe

pid process

3152 WarzoneRAT.exe
5032 WarzoneRAT.exe
804 WarzoneRAT.exe
4164 BlueScreen.exe
3956 BlueScreen.exe
1428 Nostart.exe

pid	process
3152	WarzoneRAT.exe
5032	WarzoneRAT.exe
804	WarzoneRAT.exe
4164	BlueScreen.exe
3956	BlueScreen.exe
1428	Nostart.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\BlueScreen.exe	upx
behavioral1/memory/4164-985-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4164-987-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3956-998-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3956-1008-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

81 raw.githubusercontent.com
82 raw.githubusercontent.com
67 camo.githubusercontent.com

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com
67	camo.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

WarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exe

description	pid	process	target process
PID 3152 set thread context of 1956	3152	WarzoneRAT.exe	MSBuild.exe
PID 5032 set thread context of 3068	5032	WarzoneRAT.exe	MSBuild.exe
PID 804 set thread context of 5084	804	WarzoneRAT.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5096 schtasks.exe
4660 schtasks.exe
4136 schtasks.exe

pid	process
5096	schtasks.exe
4660	schtasks.exe
4136	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2132103209-3755304320-2959162027-1000\{2F6BB4DB-9749-4E12-991C-325C3799956D}	msedge.exe

NTFS ADS 5 IoCs

Processes:

msedge.exeWarzoneRAT.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 778361.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 76879.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 150758.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 665183.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exemsedge.exemsedge.exe

pid	process
3888	msedge.exe
3888	msedge.exe
3080	msedge.exe
3080	msedge.exe
3416	identity_helper.exe
3416	identity_helper.exe
1864	msedge.exe
1864	msedge.exe
4452	msedge.exe
4452	msedge.exe
3016	msedge.exe
3016	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
232	msedge.exe
232	msedge.exe
3152	WarzoneRAT.exe
3152	WarzoneRAT.exe
3152	WarzoneRAT.exe
3152	WarzoneRAT.exe
5032	WarzoneRAT.exe
5032	WarzoneRAT.exe
5032	WarzoneRAT.exe
5032	WarzoneRAT.exe
804	WarzoneRAT.exe
804	WarzoneRAT.exe
804	WarzoneRAT.exe
804	WarzoneRAT.exe
2440	msedge.exe
2440	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exe

description pid process

Token: SeDebugPrivilege 3152 WarzoneRAT.exe
Token: SeDebugPrivilege 5032 WarzoneRAT.exe
Token: SeDebugPrivilege 804 WarzoneRAT.exe

description	pid	process
Token: SeDebugPrivilege	3152	WarzoneRAT.exe
Token: SeDebugPrivilege	5032	WarzoneRAT.exe
Token: SeDebugPrivilege	804	WarzoneRAT.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3080 wrote to memory of 3912	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3912	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4796	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3888	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3888	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4600	3080	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf0a346f8,0x7ffcf0a34708,0x7ffcf0a34718
2⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
2⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
2⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
2⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
2⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
2⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
2⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5768 /prefetch:8
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6300 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3984 /prefetch:8
2⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp599F.tmp"
3⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1956

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp698E.tmp"
3⤵
- Creates scheduled task(s)
PID:4660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:3068

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82D2.tmp"
3⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6464 /prefetch:8
2⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Users\Admin\Downloads\BlueScreen.exe
"C:\Users\Admin\Downloads\BlueScreen.exe"
2⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\Downloads\BlueScreen.exe
"C:\Users\Admin\Downloads\BlueScreen.exe"
2⤵
- Executes dropped EXE
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
2⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
2⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
2⤵
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
2⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:8
2⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,8081142510203774588,1807662419075528035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356

C:\Users\Admin\Downloads\Nostart.exe
"C:\Users\Admin\Downloads\Nostart.exe"
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log
Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
49KB

MD5
4b4947c20d0989be322a003596b94bdc

SHA1
f24db7a83eb52ecbd99c35c2af513e85a5a06dda

SHA256
96f697d16fbe496e4575cd5f655c0edb07b3f737c2f03de8c9dda54e635b3180

SHA512
2a3443e18051b7c830517143482bf6bffd54725935e37ee58d6464fac52d3ce29c6a85fc842b306feaa49e424ba6086942fc3f0fea8bb28e7495070a38ce2e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
24KB

MD5
1deeafca9849f28c153a97f5070355d6

SHA1
03b46b765150a2f308353bcb9838cbdd4e28f893

SHA256
b1639f4ce0285c41f4bd666f3fae4767094e3042b0379646b5ccfe04ef01ec19

SHA512
52122b7e3ca9b58eab42fc652c24b4b8c17c43970f88860372d8377c49c540c31ddc81b519f4d59d34e199571758f82ab2fea0737ac1f847b3d4dd75d7acac19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
43KB

MD5
8d1ef1b5e990728dc58e4540990abb3c

SHA1
79528be717f3be27ac2ff928512f21044273de31

SHA256
3bdb20d0034f62ebaa1b4f32de53ea7b5fd1a631923439ab0a24a31bccde86d9

SHA512
cd425e0469fdba5e508d08100c2e533ef095eeacf068f16b508b3467684a784755b1944b55eb054bbd21201ba4ce6247f459cc414029c7b0eb44bdb58c33ff14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
23KB

MD5
bc4836b104a72b46dcfc30b7164850f8

SHA1
390981a02ebaac911f5119d0fbca40838387b005

SHA256
0e0b0894faf2fc17d516cb2de5955e1f3ae4d5a8f149a5ab43c4e4c367a85929

SHA512
e96421dd2903edea7745971364f8913c2d6754138f516e97c758556a2c6a276ba198cdfa86eb26fe24a39259faff073d47ef995a82667fa7dee7b84f1c76c2b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034
Filesize
233KB

MD5
20fa439e1f64c8234d21c4bc102d25f8

SHA1
ba6fc1d9ba968c8328a567db74ef03eee9da97d8

SHA256
2f10f1384f3513f573a88e1771c740a973a5a304387e23aa4bf310794532fa8e

SHA512
19e9d62a852293ffa99a412ba8fa5dd0336a7753af4975e06cd53c02ee6f0058485160f8f8a64a8bca19d88eb426a4a2785885c02a494f33f2b6e383204a7f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
72e60772713ff9acba2353e7c6f7e03a

SHA1
ff55212d05c94646d9b65ae5d170945d89a03413

SHA256
3b03ecf96c3fc53b748ef304346f25fe33e856dd0b8f0c3d2763bc45701a3c76

SHA512
46162dfbc25954110de7885686f275e16b1e2c04fe171bca1429a6caa36449089891eda77260cae1bca14f623137d1f466f0a70a7f3bc184c0f1ffaf488740ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
0b77fcb782532f6d0df0b183c0e1fb47

SHA1
b81b2cb0cc54b30d86de2c593d47223021c2a785

SHA256
fa31328b30f30ab2aad9ed85d3b059368c182eda20202edaf8281d6ac9394bd2

SHA512
bce2ccefc9c221bd246aee5c5f8a0078d2ec6b6503e7c1d7fd819eb7fff9bcbf248a61d7e63a74a1b17a41c212d4776f14652d662c9599f8ec9b57a8b6d1bf51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
b349f57003cbfedb9fce8d4ad64e2ebc

SHA1
e135876b450a57198c75c74c1898fafe36737efd

SHA256
45f855e98ea83086997a52c05e68ea7afe5a4c57aa2d72be54fbb3a33bcd3bdc

SHA512
2ed703b739a0712342ac24db83c166a30c8252d097d06ed06e5c4ac103bb4d14406568eb4cfff10a519e8a9f3fd0d718b6d7011e8e4b3ea720dc0eafa052b09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
583B

MD5
c670cf3fb3f2d05087cb10b079af37b0

SHA1
edaec7dafabb7cd48cfea6da04e85d1833bc348c

SHA256
f79f59bb8329a5cff644902f1a1a37a392dfc362f61850e86c14cad7154276fa

SHA512
9f105d70335d76740e8ae821da751051aab4ecbc50ab00e9320535a997f2574df5e8b2852a73bd18d1d441eb63498baeae0d86010771683c89bb6d2813abb999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1008B

MD5
e4bb1acd296cb21e1aa63149f19e0e93

SHA1
c83755891c504668576674a664cb838846398dda

SHA256
346bd3ef4774c3ea3a93a5e6ff10eb884ee8d2b378ba870bcd7238e3cbb7e274

SHA512
90fe721d2d3cb55bd31b733929be17d9225d563cd1d8ed43b389ecaf43d4ecc15bbfd8593a4df5f777dd79514984051d37301787a423fde5f1801ecd69a98008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2c8d4982728d1a72546702cf86c9e717

SHA1
36e089b7edea633be54e8b01f9403c0cc7f9a320

SHA256
7cc05b7768e7136d5c52555e7c673b9a4a5c0621e1d04b5131b5f41971818830

SHA512
a7e60d116844ab755d4e27f7f6caf46b1721b9fb4adf682fa6ab1995d407050b658fae61d275370d82fce484c75599941bfa2512fcaf93eb896ef8ec95903402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
9924d0dffaa121f35d84c49744d8f3aa

SHA1
4b472f4b9a9cfafed163374571039d61dd71ecda

SHA256
213848daaa75bfdf802a67f26e6e2cbb4ae04df24a8d008615312a88261cbee7

SHA512
0ea7f05c9d195d1228e310b5a3ce390859dd682a44d3aad7de36e984ad9a390b88e7c216baff34351fdd42cbaa757394e462c2960548bab7e2a4afcba50c973f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d4961a2cedc6140320446bd7ad0f019c

SHA1
3fbb3f8daef1045af19d012ccc0792ee3472e00c

SHA256
9d2c25e355f064aee4986537b991de30a186076a4fd565750251adb5c7a745bb

SHA512
4f50bf9f1f3662203d414aa602b5d93b703a189f3429b3ddb52b301a170a632ff9011488bc574b1b4fb24568b0130d3c240436dae562392e4eb7f6169ad7d078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f18b12f8a8ae9874b3a7157227a90e04

SHA1
68a03bcf6d49807f628e781b06ad358f6cf0f77b

SHA256
cd7a4261959e68d083a49db7e2739f39cad5364f891cfa5f216b05828ba140ef

SHA512
af79c245a9805459dc1940fd227a9988c771c0fd7736407d00255a32e8adcbb1940df49ff87d4bb6e6db8ad7c3f79a420afebe2e84f162332a3e7b5a0bbcc023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c27b6bdaeb08daeb53d85db431b925ef

SHA1
04565d87a974e00c42bf0768b0071c4ff005628c

SHA256
b9f18c3368459644cab1a971886975823655332526754871e11ff36581dfef18

SHA512
aa27cc9d3fece80d5300f5833fc38819d7a427b5ef8047feffd0570dc881c1dbece4f9c2aa11e694c2d3c705e772eacb49a8e442d0e021497d0877a2c5207f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4061ebc206ce8fbb0d80ba972bc40aa4

SHA1
916dd7ea5fb4b100c682fa64b35015498a3aedff

SHA256
14d25b79c0f1c7f2a015cae898a2cf9875b10f1d1276c57297b8ca3f38888995

SHA512
53ee96966fcac5f2cc1ee2f98f6cc342a96773c44f53386ff9c5b969697f096e0f12d4bdcd7cb193da198a4d58cb5fa667b1307d2258054a43a827d199f10d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
f56389554ef2367dd653d04f45c21fcc

SHA1
9ba0cca2db4a63d825aab045882e9c1d57b03c95

SHA256
d7fbc950fbe4c556ba098858657cc6a6f8616085d7257ec6b60805a5169209aa

SHA512
ae809ed80095c668f3b228da4f500ebd922514ed22a99f65ad8ea804b70235591a8476451cc8f59fce4988e9619999bb97f300cc9d30f4799f826239609ce71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
cb217c232dcbb46a9bb64dac3a770df4

SHA1
2b6f51cd6342e8cf17d643e36d95bff9f17b88a1

SHA256
5bcc841f389ca71796c026384e019cf10a3ecf7f106ddb3f93e33920cbc9c2e7

SHA512
60f137cee2fd208d528abd4ee70e9d41006bc3e8796623b253c4acbc857be17aec94a5d52554228665a03f3445f8a204334c9fbec4f2cf4ce5d22cbe45ba3c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1780d6917dd14f73fadac377c8b47ac5

SHA1
72df133d4e3273037cf68eaef0c6325b512e2430

SHA256
a20d27a77f661512369095c1526d5d38fba489fec46b2c44cea937e2d123dcbf

SHA512
d92720cc8fe92e60afb040cf9688b5dd56a986157d29934d4c0f62d8120502029d494cc1862f80d79aee439a7978520f4b2d5e42512c5be1363e500131c8e4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d46c9b13cca143936276c245a1c9863c

SHA1
a740642409485283ee2dc55f265f75718c7f23ca

SHA256
281dc1543e1e2adfa64f39a27c45a7ec7cbcdabdd363cacd17a01be2c6f2023a

SHA512
e4a47c7f7c88abf295b406e3a9ba03cb0b6e91551264171421d7da27e7ddc5c8591a8ecd9e6ca0387fe99f20d020a3340785171b6d01c64592a2760a390fad00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a01e422e7178a65d48ef0ffe383302ea

SHA1
92e6eed08b2cdbca41483ad7b0f5af9c3bf83642

SHA256
430946a6696dbdf1ce4261a38404ce0108cafcb7c377831bae5fe70174031669

SHA512
980fe1521778f9acca2508eb34e9e88c8508c60792a99178a6b823afe6318cb56108a51fba3bb3a93269531a7f9e25915d60d3543c85dffb5bf4c1bbab69b12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c3e21f00b40e348235c2d5bc15281e58

SHA1
f844976cf0cb79f09ccddc4662adc4185b97dda2

SHA256
8bba38230eb69c4b2aa10191c3a083b1d2f2702681acd7ba5af7572e4ee2184a

SHA512
1876efaeb9ebd13d0d30346a30cf9217f8dafaee0d6e5797fe9b2806258b88b051e10daa8bdcad7bc8da2d0d3e36fdc89241d287a18cd93cf50eb158494f5ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
899ce54936fa57df796e2f7935fd8ae3

SHA1
559e98986c5891d977bdce11d317ba1648b7e8c4

SHA256
1b29ebf144c31135ecdfcc9acb92033542a34f7a6ea6b81374a4eaf6c2bf9230

SHA512
cc68e9b4a5424fe3f302a8a93b17de582f5ae78ce27e4ee37e1ea277e9f02421a9a8b0308cf34b7c3beabe9ef31c604c980bf28069653cfbb63a52805997d993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c74dab54266e5066ca1c93954cb08722

SHA1
7a21a64cd6b11a132932f8f3fb4e03a6bb2b2439

SHA256
9bdafdc07bddb2a60cb4d02745df0170588a862e41dadd99707e6118cb3cd842

SHA512
9a738390b643a61f2b189ae4e2dac2f37655ba7797d1444242007b5ce0c7942c83f938a07b6fdd249b547a949eb85866bbf98aaa074f358cb274a30cbb0de15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d0c84d46d83648d9ad5304047767143c

SHA1
dd6a44ec4a9206f5a83266e7e070a5c016fe8f2b

SHA256
0a924bfa825997b51e8fb97de3d03578c20e19f16932c9ea689ee5dedcf5eb3f

SHA512
805be8287ac7159e54d6ddf76a7d41ce564ee14e9581e539807dc72dbb069077c71db756e60095d32a39a9147d3403ed316c58119cd4c60f19caf6e8fc4cd3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b1d898e0f9bd69471949b004888a2588

SHA1
79d28c5b7b5c4104fbb1a675a4e16214595247b4

SHA256
dcb18c0a5229cac356a06131e883500cf11b8b9b0397ee06b2c084f7f05edb4d

SHA512
b217b88ca977ed49fdb0cd34e6391d7bfbc1b4b4a339282f8461ce5a7d1f6d669edc190fdd9995e8cb656512fa79a877062b0b5d67efc08e50fca38ff815259e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5b9b930eb7a28b7bfd80cead2f6ca17d

SHA1
92a997f7d6cd8972057a51ccfc55b741fee3304c

SHA256
5131946dd2f80f8bd42970c1a6d36b964139218f91d880443d060ff4e03bc501

SHA512
e96e61e03fd5572914040f763add4592058f30cddf7328753f485f3267056a527d27202cc221dbf3f88a81f15b0c5460753f72cb81648afca7bab07485ee7125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d7e119b7e53657c9d5cb578220640903

SHA1
83d1dbdec4bbcf39efe6cdb407a8be42412cb615

SHA256
d9b74dc64b25af6a527a1347dfac8bdc70f5bdf0b1022c928feefaa95de73b00

SHA512
dde1c374968cef449805c43c64e8276a92834562263bcae225dd949dfac8c74bbc23c73f8c4abb30e67a2dfa65b7e273a4432f00975d2f38d34ee578c59c138d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579f7c.TMP
Filesize
874B

MD5
d3f0549492c13c6befdb8694a92b7418

SHA1
4c5c17d8d56eb94fb5ec3605753ceea7244ed6bf

SHA256
8fc4292b8fc9c16aa61d990e0c2029f2e7b45c55adf672e6e20a484af18fd307

SHA512
e1b426218f0c8721c5bdb61a57f61512d6949f92a52da1ad0888dcdc97642fa109aaa75c622094df4d2436e750abe2c0674cb3d45cbfd07ef591c45d6ca9ad03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
db2e6a1c3b078d3416d60bb2fc8ac55d

SHA1
8b2e71cdb0cf1e078b8e6911e7e32e18b0617694

SHA256
cdd28b0c6c69def1612744ec599ecd9da17ca961d664fb7a6ee7befa0233fa74

SHA512
389f1db11c6e93b6a94fa852c857e9a5edd3f757bfd5f623712e8226de5089df94978ceba3cabdad9324f020c954e413f033bc26179caea91e73b737032c43e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d53477ad510197998b5bb38e78ca0640

SHA1
bfbedc14086446b440dc5718aaee27cd9ab3750d

SHA256
19b71d101760470e9494b6dd9abd1a9a47f3e5a1a5c65f950172ad7f8ed05362

SHA512
ab43cf24323782199b977ebe606d1a7d33b96e94bf9433b5278eaf868b3cd31b9fe570a34f2b456a9bf44a761fcdbd2972e5e14072601d198e7024b653aa994a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c85dfaf8cfeeea93d82f948051031e58

SHA1
af47a553fb68d168b2f20f6455d3bc28646c010a

SHA256
a96b32b11d65be6fc9222a923d6e7088ab0177098dacfeddcf5436ee29cba407

SHA512
20ec2a9c95cea63130891605632d43f35c161a82f63248b3b57b29bfaade3d762fa8176174a1f2a91e7c2d4eccf264d5c017ce03676d8d7d37da7eae2edae885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
24c1f5b94f2c4b6ac8c9e5b8e435116b

SHA1
9fd10696357cc219b8cccd6683d62b35d05f9e0d

SHA256
00ca1ca8a7131a1b2dbe413663491ec61e2ab458d3405769baee5a5133a0482b

SHA512
f7416d06fba2e455620156ad72a2a46538fc0af76ef2a41e04fd873e961b7c49e856412c5933aa7bf771a20c0a89d0f1fa89fdd08769f7bea7bfa1cb1bfc1689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
50715cc1ce3ff1f180c85c1f12636e7b

SHA1
7c6364df5929eff4a142e40b28469c084496dcc6

SHA256
73de16c8ff4b9a5299099a69405cffb12b1df5aa0a91723eb1fd336a820924c7

SHA512
07ccd1fbb5d519f2b1f62a9b46c649961d20313e12dca81501d66eb0a06ef338c44fa8ee7869aab6d40850734c7df2ef2a992a274b93e8a4cc6e6fa3498317bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp599F.tmp
Filesize
1KB

MD5
8846a22dbde212f2527849d6ecb86a10

SHA1
1f51fe20476c7d2be0afe43b1ad53747003cf945

SHA256
6f4d0aac7540eb9d040c3bea9820af52a0144810efb89d1ea8cc4473f5acf2b3

SHA512
f28e7afe5c520d6c032ae966b51f77dadf8914da9fc76edd66a0e0807ea910237c166f7f76118ed8a111715e62ae5f6cd90440eb06821070ec699bf74f2e479d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
959b82e9b2921c66052d8d9dfced2c38

SHA1
f215a0dfac9230c3cc52b1af19021349cc2f6bce

SHA256
8b361602464bd668ed060a0a91058d18b29c9b41ea0e073073604d580145530a

SHA512
f21d22b244f05d3802c93a3a3c1e2c0523a07a800a3e46096126e103db5a7aafe747f32197673fb9ff4a3061d1ab3960041506997ac0aca801059ab320a2970a

Download Submit
C:\Users\Admin\Downloads\BlueScreen.exe
Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip
Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 150758.crdownload
Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 76879.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip
Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
\??\pipe\LOCAL\crashpad_3080_EHGGWVNPXPYEIGOJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/804-913-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/804-907-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/804-908-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1428-1183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-1164-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1956-861-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1956-917-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1956-864-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1956-866-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3068-887-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3068-886-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3152-847-0x0000000000040000-0x0000000000096000-memory.dmp

Filesize
344KB

Download
memory/3152-854-0x00000000051C0000-0x00000000051E8000-memory.dmp

Filesize
160KB

Download
memory/3152-848-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/3152-849-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3152-850-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/3152-851-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/3152-852-0x0000000004E10000-0x0000000004E18000-memory.dmp

Filesize
32KB

Download
memory/3152-865-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/3152-853-0x0000000005860000-0x00000000058FC000-memory.dmp

Filesize
624KB

Download
memory/3956-1008-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3956-998-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4164-985-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4164-987-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5032-885-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5032-879-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/5032-878-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-916-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/5084-915-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download