amadey | 39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Size

1.8MB
MD5

09ad37ec1461fe538e2681aa082c111d
SHA1

8e7982474abbf03ac03553a243eea265217a34ed
SHA256

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71
SHA512

8472b87fa682309c9d2d23bc48680b9d26b90c96613b41d450ac3345e3895b570379b9aec3a0090c1548950e25611bc8450fdf8655d9ac7e3b7f8ccafddfd1f7
SSDEEP

49152:Cb4FE+pIOOjfrLm50zOBZLfSDr6rUi/f40Mz86ufcOoq:Cb4C+pEjfrSCzO3+DrW9/jkicOr

Score

10^/10

amadey evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorha.exe39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.execf54346984.exeamert.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cf54346984.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

43 5896 rundll32.exe
51 5716 rundll32.exe
54 5956 rundll32.exe
55 5708 rundll32.exe
Downloads MZ/PE file

flow	pid	process
43	5896	rundll32.exe
51	5716	rundll32.exe
54	5956	rundll32.exe
55	5708	rundll32.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cf54346984.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeexplorha.exe39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cf54346984.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cf54346984.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 7 IoCs

Processes:

explorha.execf54346984.exego.exeamert.exeexplorgu.exeexplorha.exeexplorha.exe

pid process

3816 explorha.exe
2172 cf54346984.exe
4412 go.exe
4980 amert.exe
4824 explorgu.exe
3036 explorha.exe
2912 explorha.exe

pid	process
3816	explorha.exe
2172	cf54346984.exe
4412	go.exe
4980	amert.exe
4824	explorgu.exe
3036	explorha.exe
2912	explorha.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.execf54346984.exeamert.exeexplorgu.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	cf54346984.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

5872 rundll32.exe
5896 rundll32.exe
5716 rundll32.exe
5968 rundll32.exe
5956 rundll32.exe
5708 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5872	rundll32.exe
5896	rundll32.exe
5716	rundll32.exe
5968	rundll32.exe
5956	rundll32.exe
5708	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf54346984.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\cf54346984.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeexplorha.exe

pid	process
3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
3816	explorha.exe
4980	amert.exe
4824	explorgu.exe
3036	explorha.exe
2912	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exepowershell.exeidentity_helper.exemsedge.exeexplorgu.exeexplorha.exerundll32.exepowershell.exeexplorha.exe

pid	process
3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
3816	explorha.exe
3816	explorha.exe
1824	msedge.exe
1824	msedge.exe
5036	msedge.exe
5036	msedge.exe
1540	msedge.exe
1540	msedge.exe
3160	msedge.exe
3160	msedge.exe
4980	amert.exe
4980	amert.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
5896	rundll32.exe
6036	powershell.exe
6036	powershell.exe
6036	powershell.exe
5204	identity_helper.exe
5204	identity_helper.exe
688	msedge.exe
688	msedge.exe
4824	explorgu.exe
4824	explorgu.exe
3036	explorha.exe
3036	explorha.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5956	rundll32.exe
5320	powershell.exe
5320	powershell.exe
5320	powershell.exe
2912	explorha.exe
2912	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 6036 powershell.exe
Token: SeDebugPrivilege 5320 powershell.exe

description	pid	process
Token: SeDebugPrivilege	6036	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exego.exemsedge.exe

pid	process
3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
4412	go.exe
4412	go.exe
4412	go.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

go.exemsedge.exe

pid	process
4412	go.exe
4412	go.exe
4412	go.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3028 wrote to memory of 3816	3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe	explorha.exe
PID 3028 wrote to memory of 3816	3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe	explorha.exe
PID 3028 wrote to memory of 3816	3028	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe	explorha.exe
PID 3816 wrote to memory of 2172	3816	explorha.exe	cf54346984.exe
PID 3816 wrote to memory of 2172	3816	explorha.exe	cf54346984.exe
PID 3816 wrote to memory of 2172	3816	explorha.exe	cf54346984.exe
PID 3816 wrote to memory of 3428	3816	explorha.exe	explorha.exe
PID 3816 wrote to memory of 3428	3816	explorha.exe	explorha.exe
PID 3816 wrote to memory of 3428	3816	explorha.exe	explorha.exe
PID 3816 wrote to memory of 4412	3816	explorha.exe	go.exe
PID 3816 wrote to memory of 4412	3816	explorha.exe	go.exe
PID 3816 wrote to memory of 4412	3816	explorha.exe	go.exe
PID 4412 wrote to memory of 1540	4412	go.exe	msedge.exe
PID 4412 wrote to memory of 1540	4412	go.exe	msedge.exe
PID 1540 wrote to memory of 2788	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 2788	1540	msedge.exe	msedge.exe
PID 4412 wrote to memory of 1672	4412	go.exe	msedge.exe
PID 4412 wrote to memory of 1672	4412	go.exe	msedge.exe
PID 1672 wrote to memory of 3152	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 3152	1672	msedge.exe	msedge.exe
PID 4412 wrote to memory of 4740	4412	go.exe	msedge.exe
PID 4412 wrote to memory of 4740	4412	go.exe	msedge.exe
PID 4740 wrote to memory of 3260	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 3260	4740	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 5112	1540	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
"C:\Users\Admin\AppData\Local\Temp\39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\1000042001\cf54346984.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\cf54346984.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
    "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf0423cb8,0x7ffaf0423cc8,0x7ffaf0423cd8
        5⤵
        
        PID:2788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
        5⤵
        
        PID:5112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
        5⤵
        
        PID:3184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        5⤵
        
        PID:1384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
        5⤵
        
        PID:1032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
        5⤵
        
        PID:4332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
        5⤵
        
        PID:1256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        
        PID:4092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        
        PID:5432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:5440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        5⤵
        
        PID:5644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
        5⤵
        
        PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,14827549615939592386,12831196545697322511,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
        5⤵
        
        PID:6032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf0423cb8,0x7ffaf0423cc8,0x7ffaf0423cd8
        5⤵
        
        PID:3152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17774054110895942900,8711422856071605038,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
        5⤵
        
        PID:3944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17774054110895942900,8711422856071605038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaf0423cb8,0x7ffaf0423cc8,0x7ffaf0423cd8
        5⤵
        
        PID:3260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,4410645992759302736,3378395346308346444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3160
- - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5872
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5896
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4824
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:5968
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5956
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:6128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5320
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5708

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4d48e0f7d5be0a71ddd04bdc8678f531

SHA1
fd36309bb350bd3c630d8bc10ae672cf1771b9eb

SHA256
af3632718d67b9e36cd4bd8d75ab4aadc3db4d6d23b25e8e185e9f54fd10f197

SHA512
d2d171fc2477692f2e56c99ce9c12e21ce7bbb88b61884c513689de31d61b9cd0fa42abef91a10d526ab2d8fd6718cccb917b5e8ffc10180928b62f85b6c038f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
8fb865184c1b0d1cba432e9146b7f14c

SHA1
8480744127a45534ca988b4a5c5c7a3eb2c4e813

SHA256
83bd460b2e31ca5e3ec1196a640fdc8ebacf8d7aef47d6af68486c4545db0ec1

SHA512
cbcc4c3477e6954d4327a7f49743096f66e79725d569def75e9688a81c0002d35aca5b56bca3c258b667851ea10d2610d9c8a4b7bac90baca91e69b3ac337d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0f6c77895c0518980d78814193eee68a

SHA1
ef682fde34aaf012c1dbf50938d336c85e7cce40

SHA256
4cb199adeb4d52376eec8af6c2bc4a52f1e3cd67d87458380d91e73ab0dea41c

SHA512
972ac0b6916399dfa2b7430081f8163b003aac566fa7d18c753052230ce1ab7dbab951b26ed9ae32a369cbe3ccc608b13760d530adbe26725b6256e94284d8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e324b04e78589679255e3e594141b125

SHA1
3019c26cc9e1a8e9349aeb835cf3f253a09b7045

SHA256
2eb83ec5b6178a7128f4abeee30bf802d8e06faac2c712a19286fa8996e85f14

SHA512
3deccc84a30560d1d603aa49f86c2d8bdc03e487b5f3c70049edd65a1256cba353c6c1db81b30dfb3dd0c9ffb096b9531801cc0282ae5788ee52b7d2fd90bbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43046c846654def5a62af09864349dc0

SHA1
3b6487d84f4ccc0a001862525af0456a268d5bf3

SHA256
3dedb93922747de0776fac3ec5f3241696c008133cb3b5f9e41066836f98a0d1

SHA512
298a0482de70558dca1e5533180a1cba648628876705fd272f06c0c9627a420b1ab3f93b9e4c70b72a14970f16f657eb580ace50f809adf2fa8906fa96f461c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9aa0d1946191720ed7adddf8fe0860b9

SHA1
8112975688fa39baaa3d2b6d4b50715e108c0fe4

SHA256
6c4fff1e1bc2b3f4afe0e705db6a6c086b21e90f1e1d5f1250193d3d08e1d394

SHA512
76b1e45e0e972813eb26fbe4dcd09764f7748903706ebc7ea04dbd78c088381ff9cbeeebacd5d7c7b7b4a01b1fe16661c4349b49024d5e9e807aff64dde5fff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a0d0e1918759db8ee234dc7575ffbe23

SHA1
083aed669aa92cd3d9f58405979eda8dece72335

SHA256
3e0ce90ec0b7d7e68e7a909aab46057bad0e9cf0537f3c7a2b75a1af7d72f255

SHA512
35cd6ac976c40af5d17d4c69489b4c021134471ef752be52338792fdb008e553b1220b3846b21c81bc6a77d58f88a39847c7de22b4ace216de31c504e5054aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
ca3e6c7a9427c3c4f44e8b53729ee576

SHA1
23488b0994c4899dbbc46e4f77c30e2f65733248

SHA256
b2e898b175965202c178b63a1b38478081c84478d1cc196191da6725116a161f

SHA512
ed23e8f808c38e6f717272b2501c86749deec9b6c510cc73160114cf610155daa5272f44ea7635e391af4d9887dddee31c9b9a9745450ad2b60b44bef894c779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
8856ae582653b2ea9c99c66d88d4f4fc

SHA1
c6634282e87168f8221ce0d4a5e5a4bd60fa1642

SHA256
953a8c8a0e9a2a048dcff3e97ac52b7f4136a424334256cb72545b11b2c9e8c8

SHA512
a6718a4cf7bb4638710ab246a6707c89718de34efa2cce4e4419d776e296bf7457ef5512ba4cf3d8f2abe62935bd1f6076f37ba1c9c3c21df81fe8792b08a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
779f50a69631d53490268e5847aab88a

SHA1
f2ab26fd7d4115da03deb7d805b3763a0b446313

SHA256
485954058018e5de1f9f0529a53d17cb43410059f34f89fa8cd7815e2868a24b

SHA512
887239317147183e0cf9100fc552bf9b70621d2a27d2087dd3b9823dc27fbeb34addf1949aeb115c521996a8d6c927a4288feb070c58c352a62c16fbbcf0470b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e86c.TMP

Filesize
707B

MD5
780663a8b36915844355d000a7f0c0ad

SHA1
d2319bda00f3c423eeac24c3c094144acc5a4745

SHA256
19c588033b22dd6a36559415e2b0c723f91ea602dacc16cbb977d4aa4bad82a6

SHA512
df83d407401a4b1df7b357185ae1e55f7c0bc0281c2af9980078656fb1f1dd0d8930ec9e499e50dcdf3bb5e72ff4a5722713023c85b25d9f8f457653c49e123e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d59ef4b4a8cde16a42f7fbd837e775fa

SHA1
5abde54334f3ab55e8a71eafc6281c6f0876541e

SHA256
d99aa1b3529aee5063906833f25de329dce183fc13fc67a04b02a6675943280c

SHA512
d04c267f3f6dc87434fef8c60d09149bf0ccd334a740e9afa17c3131bec2282f51c5d8345e3dbaae7209cc08f1f06ae225dbc5982a2114f83c50433ee56708d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ce96ef76a1cd935c6377236fdde17d42

SHA1
20a50a2c1b1613979ff700f81b433d1f4bdd720a

SHA256
a1ba2074cac39a26c4f8db7d0a26255bb3ce2d25ed2928b86e387556fbb61cd3

SHA512
2707b57d4dac43f0b4b07a9a0e5c54ab34846c2387af4b9bd4e493fbc225f9ecffde8f252ff0dcaf214d79c76e5364c1ea7bdf042ac976bbec7dcb17a1068378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
668487421447d7a8c60147950708df4d

SHA1
cd844e6454fd356141a126d29e63a65d4c1b28b7

SHA256
ce6ffa7a8e60548d5dfab1650b7f86d13ab943d6b80dea8315532fde09205b90

SHA512
ad319ba626101f05c784c86c6d49e122b06264b86658eb61b15d4716b2071f1faa55a22643917163b8776a5100630dbba99e2359b1650a28132b66ad70575740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
87c12330c311f1e01c4e97413b5f4225

SHA1
b97420153b869274abda4bc59d43f3c18ae00a33

SHA256
d5bacdcd40f71a70f31af41919c768d785089c1bca35e4d8302176bcf60c51e6

SHA512
8bee8a3e3d87a77f04689b243804e586a0f5be0a499c5e306da309d47f29e94e09b4aef61ef2d9707d8fa929ca583966b4794657ac3c7f516ad73f17382f389c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16128740f5a36847b36804e781785a4f

SHA1
0140df861c1c81649570b5febbdc9a7129d42e7a

SHA256
0708825d6ff9de2a1d0696d18b53842ea986042c7262d95b606e630a67f080f9

SHA512
747278c1be92f090d662e1bf826a6fae2ea33ba055d659b03d7667ee6a7a0d65c9b41ad1402633097c5da1bc51eaedfc092cf46a1af4ef4f0d478392e1f70a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
09ad37ec1461fe538e2681aa082c111d

SHA1
8e7982474abbf03ac03553a243eea265217a34ed

SHA256
39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71

SHA512
8472b87fa682309c9d2d23bc48680b9d26b90c96613b41d450ac3345e3895b570379b9aec3a0090c1548950e25611bc8450fdf8655d9ac7e3b7f8ccafddfd1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\cf54346984.exe

Filesize
3.0MB

MD5
fcea2df8b17ce44c6e4851655053764a

SHA1
f17634e5da3d62f26194354b22b255f687b789e3

SHA256
b94d11c660e4e7941f80199623b0c98c64d760edfa5c6b9dcee0c410d0f0f104

SHA512
be82ace076bf48d7fe3f5d510e7611958831e59a7af08fd74704a5c8234365a339ef2d13db1c0f0a8e4025574e269969ec2c6a36244b994818d6263a98bdbc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

Filesize
1.9MB

MD5
80698cc4fa2be2ba9bad56a77fe1fd0d

SHA1
72780e2913fe6fea376942e9b993c5d6e79b0d15

SHA256
301e30d68915da5d224ec68c9c8b01dd79d910f45060c3da9823d703d39c4958

SHA512
5e07ebb91218832b70645bacbc77bd0d20e12f0844de7fde776b01dd46f26c0d7c32c842ff12ab446a1867b0c3ead9bf8803eaeacb7aaf706ee3195688c9782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpa3f1du.hlb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\LOCAL\crashpad_1540_FGQQXNIHWOVSOHYU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2172-386-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-557-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-52-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-373-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-578-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-575-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-350-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-563-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-560-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-493-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-501-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-545-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-432-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-450-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-510-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2172-53-0x0000000000F10000-0x00000000012C6000-memory.dmp

Filesize
3.7MB

Download
memory/2912-556-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3028-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x0000000000240000-0x00000000006F1000-memory.dmp

Filesize
4.7MB

Download
memory/3028-0-0x0000000000240000-0x00000000006F1000-memory.dmp

Filesize
4.7MB

Download
memory/3028-8-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3028-3-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3028-7-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3028-4-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x00000000774F6000-0x00000000774F8000-memory.dmp

Filesize
8KB

Download
memory/3028-23-0x0000000000240000-0x00000000006F1000-memory.dmp

Filesize
4.7MB

Download
memory/3028-6-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3036-421-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3036-423-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3036-422-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3036-419-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3036-420-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3036-431-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3036-418-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3036-417-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-508-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-433-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-21-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-534-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-24-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-558-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-247-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-499-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-561-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-27-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3816-471-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-387-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-25-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3816-367-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-31-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3816-30-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3816-564-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-33-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3816-579-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-28-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3816-183-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-29-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3816-32-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3816-546-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/3816-26-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3816-576-0x00000000006F0000-0x0000000000BA1000-memory.dmp

Filesize
4.7MB

Download
memory/4824-562-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-434-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-413-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4824-574-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-430-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/4824-429-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4824-591-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-415-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4824-412-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4824-481-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-547-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-435-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-414-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4824-500-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-559-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-411-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4824-509-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-410-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4824-409-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-408-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-535-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4824-577-0x0000000000120000-0x00000000005FA000-memory.dmp

Filesize
4.9MB

Download
memory/4980-223-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4980-233-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4980-224-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4980-222-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4980-218-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4980-240-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4980-254-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4980-209-0x0000000000CD0000-0x00000000011AA000-memory.dmp

Filesize
4.9MB

Download
memory/4980-256-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4980-270-0x0000000000CD0000-0x00000000011AA000-memory.dmp

Filesize
4.9MB

Download
memory/4980-205-0x0000000000CD0000-0x00000000011AA000-memory.dmp

Filesize
4.9MB

Download
memory/5320-461-0x00000223271A0000-0x00000223271B0000-memory.dmp

Filesize
64KB

Download
memory/5320-459-0x00007FFADC8B0000-0x00007FFADD372000-memory.dmp

Filesize
10.8MB

Download
memory/6036-331-0x00007FFADCA80000-0x00007FFADD542000-memory.dmp

Filesize
10.8MB

Download
memory/6036-335-0x00000178EF630000-0x00000178EF640000-memory.dmp

Filesize
64KB

Download
memory/6036-333-0x00000178EF630000-0x00000178EF640000-memory.dmp

Filesize
64KB

Download
memory/6036-332-0x00000178EF5B0000-0x00000178EF5D2000-memory.dmp

Filesize
136KB

Download
memory/6036-334-0x00000178EF630000-0x00000178EF640000-memory.dmp

Filesize
64KB

Download
memory/6036-342-0x00000178EF790000-0x00000178EF7A2000-memory.dmp

Filesize
72KB

Download
memory/6036-343-0x00000178EF420000-0x00000178EF42A000-memory.dmp

Filesize
40KB

Download
memory/6036-349-0x00007FFADCA80000-0x00007FFADD542000-memory.dmp

Filesize
10.8MB

Download