amadey | 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28-03-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
Size

1.8MB
MD5

e3f2565e66bef7c990748a5f99b706c4
SHA1

52808d09a2b8c7b4fe54e3f0634ad74663003a37
SHA256

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e
SHA512

c03ba03ffaf5d8ade527be7a9a8efec7e28d702cf6d2cefefb0be396e867033efa80501b69975405df9980cc1e2ca6612bd1ae28ee017c80b5a74f9d8e931979
SSDEEP

49152:69FWlJTG9dU9I6XyhhBnr1a+mu+1ENJ8+OcWsMo7r:Bl6diI6Xwxrzv+16++Z1/

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exe3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exe8ce42d6d1d.exeamert.exeexplorgu.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8ce42d6d1d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

41 5992 rundll32.exe
49 3328 rundll32.exe
52 5836 rundll32.exe
54 2448 rundll32.exe
Downloads MZ/PE file

flow	pid	process
41	5992	rundll32.exe
49	3328	rundll32.exe
52	5836	rundll32.exe
54	2448	rundll32.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorgu.exeexplorha.exeexplorha.exeexplorha.exe8ce42d6d1d.exeamert.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8ce42d6d1d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8ce42d6d1d.exe

Executes dropped EXE 7 IoCs

Processes:

explorha.exe8ce42d6d1d.exego.exeamert.exeexplorgu.exeexplorha.exeexplorha.exe

pid process

2972 explorha.exe
4236 8ce42d6d1d.exe
2808 go.exe
5616 amert.exe
5280 explorgu.exe
5620 explorha.exe
5244 explorha.exe

pid	process
2972	explorha.exe
4236	8ce42d6d1d.exe
2808	go.exe
5616	amert.exe
5280	explorgu.exe
5620	explorha.exe
5244	explorha.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amert.exeexplorgu.exeexplorha.exeexplorha.exe3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exe8ce42d6d1d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	8ce42d6d1d.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

5964 rundll32.exe
5992 rundll32.exe
3328 rundll32.exe
5964 rundll32.exe
5836 rundll32.exe
2448 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5964	rundll32.exe
5992	rundll32.exe
3328	rundll32.exe
5964	rundll32.exe
5836	rundll32.exe
2448	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ce42d6d1d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\8ce42d6d1d.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeexplorha.exe

pid	process
5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
2972	explorha.exe
5616	amert.exe
5280	explorgu.exe
5620	explorha.exe
5244	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

amert.exe3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File created	C:\Windows\Tasks\explorha.job	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exepowershell.exemsedge.exeidentity_helper.exeexplorgu.exeexplorha.exerundll32.exepowershell.exeexplorha.exemsedge.exe

pid	process
5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
2972	explorha.exe
2972	explorha.exe
4776	msedge.exe
4776	msedge.exe
3172	msedge.exe
3172	msedge.exe
2944	msedge.exe
2944	msedge.exe
232	msedge.exe
232	msedge.exe
5616	amert.exe
5616	amert.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5992	rundll32.exe
5356	powershell.exe
5356	powershell.exe
5356	powershell.exe
3884	msedge.exe
3884	msedge.exe
4640	identity_helper.exe
4640	identity_helper.exe
5280	explorgu.exe
5280	explorgu.exe
5620	explorha.exe
5620	explorha.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5836	rundll32.exe
5812	powershell.exe
5812	powershell.exe
5812	powershell.exe
5244	explorha.exe
5244	explorha.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5356 powershell.exe
Token: SeDebugPrivilege 5812 powershell.exe

description	pid	process
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exego.exemsedge.exe

pid	process
5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
2808	go.exe
2808	go.exe
2808	go.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

go.exemsedge.exe

pid	process
2808	go.exe
2808	go.exe
2808	go.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 5044 wrote to memory of 2972	5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe	explorha.exe
PID 5044 wrote to memory of 2972	5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe	explorha.exe
PID 5044 wrote to memory of 2972	5044	3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe	explorha.exe
PID 2972 wrote to memory of 4236	2972	explorha.exe	8ce42d6d1d.exe
PID 2972 wrote to memory of 4236	2972	explorha.exe	8ce42d6d1d.exe
PID 2972 wrote to memory of 4236	2972	explorha.exe	8ce42d6d1d.exe
PID 2972 wrote to memory of 4708	2972	explorha.exe	explorha.exe
PID 2972 wrote to memory of 4708	2972	explorha.exe	explorha.exe
PID 2972 wrote to memory of 4708	2972	explorha.exe	explorha.exe
PID 2972 wrote to memory of 2808	2972	explorha.exe	go.exe
PID 2972 wrote to memory of 2808	2972	explorha.exe	go.exe
PID 2972 wrote to memory of 2808	2972	explorha.exe	go.exe
PID 2808 wrote to memory of 2944	2808	go.exe	msedge.exe
PID 2808 wrote to memory of 2944	2808	go.exe	msedge.exe
PID 2944 wrote to memory of 4696	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4696	2944	msedge.exe	msedge.exe
PID 2808 wrote to memory of 2120	2808	go.exe	msedge.exe
PID 2808 wrote to memory of 2120	2808	go.exe	msedge.exe
PID 2120 wrote to memory of 920	2120	msedge.exe	msedge.exe
PID 2120 wrote to memory of 920	2120	msedge.exe	msedge.exe
PID 2808 wrote to memory of 4492	2808	go.exe	msedge.exe
PID 2808 wrote to memory of 4492	2808	go.exe	msedge.exe
PID 4492 wrote to memory of 1820	4492	msedge.exe	msedge.exe
PID 4492 wrote to memory of 1820	4492	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4472	2944	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
"C:\Users\Admin\AppData\Local\Temp\3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\1000042001\8ce42d6d1d.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\8ce42d6d1d.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4236

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd8
5⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
5⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
5⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
5⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
5⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
5⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
5⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
5⤵
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
5⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
5⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
5⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
5⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
5⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2596 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd8
5⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,13188893340279081275,1336940715022056991,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
5⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,13188893340279081275,1336940715022056991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd8
5⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8146423560888786520,14916923651305002106,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
5⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8146423560888786520,14916923651305002106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:5964

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5992

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:5152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5356

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:5964

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5836

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2448

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5620

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
936B

MD5
4370d14710a36a56e32aeadf31288610

SHA1
0f832620c831d80422daa2d5028421548218551b

SHA256
55ea9098e289fa6a827f852dc1e90546e4d51f84cb13389037c1fb4bf42dac77

SHA512
f191ab086f9ddca9b78b303bdd699b15dd46e6f76f8c0789c0dd90216041192a9c4a945cd4b5a6281c92f5a479d0c22ae03fe027d043898249d787b82b882710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
f626ace70d9ab9ddaa746294b5bb3971

SHA1
aa1719baf5dc0050b5fa403361f347a46a2016e1

SHA256
312a59f280386b4732b1ba02d90f4f06146896e45905a3376e7b65b4f4cee5f6

SHA512
99af3be3bb33cc824982c113bbb6ecb2bc7e52ec0e59a726815876a622d0d464e25f897ecb92907aa288457674402f5a67c513049bd72cab6cbedf4f4596a11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
a10d8965733e51239735363b7c1021fa

SHA1
bc4d2d29d3682728ddcf34981fc35542ed012b07

SHA256
5ad72a55056c770b1750191549db7588a30efef8a5f7081405e3d0a9320aa100

SHA512
0dd14955e697be180b1c28b7a5212a2fda32086ee81015ef0dbaa89301f9366fb0421601284200480ab3545449795ae967196885fd9ababd67e7cc0605d96991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4dc8088c17bd042eb71a4d8112a591fd

SHA1
c36bef64ca2cd0267e91406309785224ed2ec448

SHA256
91c12fd4289564e94111ab825d15aabe3e75f6730fc85840b6cffd3dbb311920

SHA512
65f1c50347129b53ca1abcf807b9d8e7bb503dffdef54bdf06d97c76608a37f10cf9cefbf1e8d1e15253cccac5a4b7811a97d9d6da6caf7098085b7d502db0a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
da63419caa80ed3879c95bdc936f61e9

SHA1
633a6dd907c871d63d8680a0acd516738de09103

SHA256
b28d4d1ae3532595b423ca01e0aeec0bc1e4e74077a1a99f8c8fe10b4a0fb3f0

SHA512
fd5a0377841e0bfe351dcbc8217470a121e0c5b937ca43cf08b15250a82a9f99de5fcbefe28950f1ce1ebf822d43a454a80b048b555069ab781789d2c5c09c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
914b31cfcc36052c4dacaa75bae3c859

SHA1
6aa50c1fb13502c390772f16e44954aff335b278

SHA256
34de782178394e8c6446c8a41c804926dd4c0dfb10fc749ce54fb4004d196600

SHA512
0b83588736b142b4a72ba76be273d517a1509e02d466ab50b3e1dcbd19a98b6680c7a97da4fbf5d773f551c35d78755c0a5a0519a5052e2d2972007d438b5bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
34f9286fcf11a36c9af30052173cb59b

SHA1
4a2e6548657d2760b13021f5d81fe00fdbba9343

SHA256
aca2971175c829432aed592862e16a5f5d51aa50151449250d6fc7b49d6c6f10

SHA512
c591b014f0e656f7f77212717453a44117a89b956df0d26f4b8299b254aebaaa4dee056a33aa567a1f33e0e1bf118d401aa7c11e67a35886ef8eebed727617f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
016670b1b37982b57977913286cee284

SHA1
521dd62bd56180d881d1de7e60fbb29f5845180c

SHA256
fa3658c84f8d3e41241e125b45331ef12477ff0dbf0c39835bd34b36f3d2fa6e

SHA512
fbcc0ee79100eeb4f10068675f6c694bd827c57a0af804c8d3a6120852371583496b38ea6149f70201ccc920dfd4575a4f1a499659225420a67f8eeff7d8a610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
17afb7822a06ce6a4bc5841159244d7e

SHA1
82447a1d328b4974c7e12bf32fcfd81cd2790674

SHA256
97a8e022744a9a99c8330a6d31acc9f200e72145574ae1fe638d012ac77e5dc7

SHA512
4ffd633c557e227f8c33b5e7fd7fde470ae36ee8f21ba259db5bc2bb47852b7e4d48d6b6f747f54145bb13dd5c03aac421fadb931cc00c0364e1f390689d85eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec44.TMP
Filesize
707B

MD5
a2610346152b54ce689e33e2b5970415

SHA1
4e0f0730af8f935297127653c59810779f3202e5

SHA256
4cab63dbb18142cb2022ae59bb21eefebbebd44bb202712db2896883dfd79a68

SHA512
f9902ad8484e825a1d9d90b9fe7b02faaf517fa91157c4e44673c82c0191b48e7e1af0048741289cefd93a0c09668efa1e3577b42b5bfdfb61dff8bbf0472e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
eb6c9a42c10b1c06c36e26c20e32a193

SHA1
847fa26613088539b791fdf96d541cd09f69f4a7

SHA256
24f1ab60823fcf26a31db2dff117ebd71c486372c9bc1caf8fad69f9d85d1844

SHA512
506c0a9d57d0157dc752a37bd7c643ce350a68a832a8bd3070981d63578d56e7b2583f364ebea0408aa481f32209e44577a6843535c6783474bd5909cc6197e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
1991d531a1ac12c935d39d1fe5b90be8

SHA1
eb3f959dba5f3c2f566828239830f631b0c56f29

SHA256
324a1673d0a3666c4a78a036ea0b33b827208f8b731ae9d9fcb745b06f5e1478

SHA512
f8489ba41275d1aa4552868f713a0588828937be6e8fe6e33faf64d8a84bcfff50f5713318f8df3e2368772c291f0ee36aa3193c4fefc86544236a1c93c98d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
79b7f2195004e3432caed6f40ed58908

SHA1
94f325ba1b578c4f1ec268b3e895b7ffa7a6195d

SHA256
61534a27423c30b67a14d227a39c74a2ed89352c55f2d59d36589bd083d39f1f

SHA512
bcb9646edb86b4593a855b292f4bf709d56c1b819cf9dd6ca9bb97f4c6245bd4f06ed112e3273952fb22b4b4cf19a22028ae120166ca8f49686718372a708fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
632c87ef107ab7b49fb9a44a393b9c82

SHA1
fe7035d40d08ab65b460058c5a458d628e6b8b58

SHA256
b17dd2b6c26b9544cb72f91e3084945df5a5c08407a0939ef2397bb3c6ee1dfe

SHA512
58e0371748ed013a13afd013da63c3c757e7b22be95fe1624784768b2493e5c1b9c352925f3559c3887a28c48b2e72336cb7acb9d385982324a1d62056987d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc1581e35979397950e6872b3a3b1298

SHA1
4f1a7a8f2cff4603f4fc4b7370494c61cbcb3c7f

SHA256
40767ed690a6468aa11b9bce89cb43dca925e5027934ead29e5b708d2fafa9e7

SHA512
e8d5fcc9be11d5ca64475d35bc662b19c994c0e4deec79d86c9bbe7dff4ac06fe831ffe0bef93efa46c0078ce535693dafc8372e652c282d8b43e6c6ec16eeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
1.8MB

MD5
e3f2565e66bef7c990748a5f99b706c4

SHA1
52808d09a2b8c7b4fe54e3f0634ad74663003a37

SHA256
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e

SHA512
c03ba03ffaf5d8ade527be7a9a8efec7e28d702cf6d2cefefb0be396e867033efa80501b69975405df9980cc1e2ca6612bd1ae28ee017c80b5a74f9d8e931979

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\8ce42d6d1d.exe
Filesize
3.1MB

MD5
339f3f4f39d82660a784f3fb070220f1

SHA1
a03957dadfbc4d434510278b58f4d7e655effce5

SHA256
93b6b07774d558791bc34c872f8d67123b26fb070f7612278e37e934c71c9abe

SHA512
06b181700ff678ab659cbab3486b9c28f30e3c333274541549b11e08e45d1a9a8389efb247a9dd52ffd327a7d7d08380f1730e0df5bfc9750f44d4674cb3f165

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
Filesize
1.8MB

MD5
4ffe02ab61d06ce1dec85cfef4122de3

SHA1
e92368cd89deb3ccb81ea21a4e6c6a1ab3a0fba7

SHA256
8f1dc6a85630b9a36d235e7f4912309ac8afdfa136125d574b27376cfbb6d059

SHA512
9a01c2baaad83cfe4188b530235cc01dca5bdaeab8c50e881ec36a3ca623afb32915cb9d1d007fd22b8e4d90ad9da4020443d384744127132d846e40935ca8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oq3ugpie.wm1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\LOCAL\crashpad_2944_SDUEVFKVAOUCTCAV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2972-584-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-477-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-578-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-25-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2972-401-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-243-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-596-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-313-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-31-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2972-516-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-30-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2972-417-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-27-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2972-29-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2972-28-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2972-538-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-370-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-558-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-23-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-553-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-24-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-550-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-32-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2972-441-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/2972-26-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4236-548-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-579-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-345-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-451-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-551-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-554-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-51-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-371-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-567-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-382-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-52-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-497-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-585-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-517-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-416-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/4236-419-0x0000000000B50000-0x0000000000F06000-memory.dmp

Filesize
3.7MB

Download
memory/5044-0-0x0000000000400000-0x00000000008BE000-memory.dmp

Filesize
4.7MB

Download
memory/5044-9-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/5044-10-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/5044-1-0x0000000077206000-0x0000000077208000-memory.dmp

Filesize
8KB

Download
memory/5044-21-0x0000000000400000-0x00000000008BE000-memory.dmp

Filesize
4.7MB

Download
memory/5044-8-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/5044-7-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2-0x0000000000400000-0x00000000008BE000-memory.dmp

Filesize
4.7MB

Download
memory/5044-6-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/5044-5-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/5044-4-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/5044-3-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/5244-566-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/5280-426-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/5280-424-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/5280-586-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-580-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-438-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/5280-439-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/5280-568-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-556-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-518-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-421-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-452-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-453-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-552-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-422-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-428-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/5280-427-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/5280-498-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-549-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-480-0x0000000000E80000-0x0000000001332000-memory.dmp

Filesize
4.7MB

Download
memory/5280-423-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/5280-425-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/5356-331-0x00000178EC9E0000-0x00000178EC9F0000-memory.dmp

Filesize
64KB

Download
memory/5356-332-0x00000178EC9E0000-0x00000178EC9F0000-memory.dmp

Filesize
64KB

Download
memory/5356-330-0x00000178EC9E0000-0x00000178EC9F0000-memory.dmp

Filesize
64KB

Download
memory/5356-326-0x00000178D4880000-0x00000178D48A2000-memory.dmp

Filesize
136KB

Download
memory/5356-320-0x00007FF9C4F00000-0x00007FF9C59C2000-memory.dmp

Filesize
10.8MB

Download
memory/5356-340-0x00007FF9C4F00000-0x00007FF9C59C2000-memory.dmp

Filesize
10.8MB

Download
memory/5356-334-0x00000178D48B0000-0x00000178D48BA000-memory.dmp

Filesize
40KB

Download
memory/5356-333-0x00000178ECA70000-0x00000178ECA82000-memory.dmp

Filesize
72KB

Download
memory/5616-319-0x0000000000F20000-0x00000000013D2000-memory.dmp

Filesize
4.7MB

Download
memory/5616-314-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/5616-245-0x0000000000F20000-0x00000000013D2000-memory.dmp

Filesize
4.7MB

Download
memory/5616-276-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/5616-277-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/5616-280-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/5616-281-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/5616-268-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/5616-264-0x0000000000F20000-0x00000000013D2000-memory.dmp

Filesize
4.7MB

Download
memory/5616-315-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/5620-434-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/5620-440-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/5620-435-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/5620-433-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/5620-437-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5620-432-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5620-431-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/5620-436-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5620-430-0x0000000000580000-0x0000000000A3E000-memory.dmp

Filesize
4.7MB

Download
memory/5812-479-0x0000025D82210000-0x0000025D82220000-memory.dmp

Filesize
64KB

Download
memory/5812-478-0x00007FF9C4AB0000-0x00007FF9C5572000-memory.dmp

Filesize
10.8MB

Download