amadey | ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
30-03-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Size

1.8MB
MD5

9a35e62d8276e34994a6beb80121adb1
SHA1

55bf11eb3f1a4b742e340993ffbd3f1cf019e27f
SHA256

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e
SHA512

677bcb0f2ba6b7a6abd36ad3f7759192bb4bb88158c4c9b57d27f5249b57c3e2ece6fe4569f48e225a0665bbbd82a47485d8870e054fc1a28c27ecbf86f64ee2
SSDEEP

49152:jv3vD+vwZsaPY0iXnDMmT9i/FT+I80Y+oK:rDPY0izZo/AoS

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorha.exebf99510ac7.exeamert.exeexplorha.exeexplorgu.exeexplorha.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bf99510ac7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

6 1904 rundll32.exe
47 5568 rundll32.exe
51 6092 rundll32.exe
53 5280 rundll32.exe
Downloads MZ/PE file

flow	pid	process
6	1904	rundll32.exe
47	5568	rundll32.exe
51	6092	rundll32.exe
53	5280	rundll32.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorha.exeexplorgu.exeexplorha.exebf99510ac7.exeexplorha.exeexplorha.exeamert.exeexplorha.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bf99510ac7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bf99510ac7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe

Executes dropped EXE 9 IoCs

Processes:

explorha.exebf99510ac7.exeexplorha.exego.exeamert.exeexplorgu.exeexplorha.exeexplorha.exeexplorha.exe

pid process

2872 explorha.exe
2396 bf99510ac7.exe
1492 explorha.exe
2096 go.exe
5776 amert.exe
5440 explorgu.exe
2300 explorha.exe
6128 explorha.exe
1504 explorha.exe

pid	process
2872	explorha.exe
2396	bf99510ac7.exe
1492	explorha.exe
2096	go.exe
5776	amert.exe
5440	explorgu.exe
2300	explorha.exe
6128	explorha.exe
1504	explorha.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

bf99510ac7.exeexplorgu.exeexplorha.exeamert.exeexplorha.exeexplorha.exeexplorha.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	bf99510ac7.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1248 rundll32.exe
1904 rundll32.exe
5568 rundll32.exe
5776 rundll32.exe
6092 rundll32.exe
5280 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1248	rundll32.exe
1904	rundll32.exe
5568	rundll32.exe
5776	rundll32.exe
6092	rundll32.exe
5280	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\bf99510ac7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\bf99510ac7.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeexplorha.exeexplorha.exe

pid	process
2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
2872	explorha.exe
5776	amert.exe
5440	explorgu.exe
2300	explorha.exe
6128	explorha.exe
1504	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorha.exe

description pid process target process

PID 2872 set thread context of 1492 2872 explorha.exe explorha.exe

description	pid	process	target process
PID 2872 set thread context of 1492	2872	explorha.exe	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

amert.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File created	C:\Windows\Tasks\explorha.job	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exerundll32.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exeamert.exeidentity_helper.exeexplorgu.exemsedge.exeexplorha.exerundll32.exepowershell.exeexplorha.exemsedge.exeexplorha.exe

pid	process
2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
2872	explorha.exe
2872	explorha.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
4156	msedge.exe
4156	msedge.exe
1288	msedge.exe
1288	msedge.exe
4712	msedge.exe
4712	msedge.exe
920	msedge.exe
920	msedge.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
5328	powershell.exe
5328	powershell.exe
5328	powershell.exe
5776	amert.exe
5776	amert.exe
5992	identity_helper.exe
5992	identity_helper.exe
5440	explorgu.exe
5440	explorgu.exe
1628	msedge.exe
1628	msedge.exe
2300	explorha.exe
2300	explorha.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
6092	rundll32.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
6128	explorha.exe
6128	explorha.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
1504	explorha.exe
1504	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5328 powershell.exe
Token: SeDebugPrivilege 2216 powershell.exe

description	pid	process
Token: SeDebugPrivilege	5328	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exego.exemsedge.exe

pid	process
2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
2096	go.exe
2096	go.exe
2096	go.exe
2096	go.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

go.exemsedge.exe

pid	process
2096	go.exe
2096	go.exe
2096	go.exe
2096	go.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exerundll32.exerundll32.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2304 wrote to memory of 2872	2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe	explorha.exe
PID 2304 wrote to memory of 2872	2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe	explorha.exe
PID 2304 wrote to memory of 2872	2304	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe	explorha.exe
PID 2872 wrote to memory of 2396	2872	explorha.exe	bf99510ac7.exe
PID 2872 wrote to memory of 2396	2872	explorha.exe	bf99510ac7.exe
PID 2872 wrote to memory of 2396	2872	explorha.exe	bf99510ac7.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 1492	2872	explorha.exe	explorha.exe
PID 2872 wrote to memory of 2096	2872	explorha.exe	go.exe
PID 2872 wrote to memory of 2096	2872	explorha.exe	go.exe
PID 2872 wrote to memory of 2096	2872	explorha.exe	go.exe
PID 2872 wrote to memory of 1248	2872	explorha.exe	rundll32.exe
PID 2872 wrote to memory of 1248	2872	explorha.exe	rundll32.exe
PID 2872 wrote to memory of 1248	2872	explorha.exe	rundll32.exe
PID 1248 wrote to memory of 1904	1248	rundll32.exe	rundll32.exe
PID 1248 wrote to memory of 1904	1248	rundll32.exe	rundll32.exe
PID 1904 wrote to memory of 1092	1904	rundll32.exe	netsh.exe
PID 1904 wrote to memory of 1092	1904	rundll32.exe	netsh.exe
PID 2096 wrote to memory of 4424	2096	go.exe	msedge.exe
PID 2096 wrote to memory of 4424	2096	go.exe	msedge.exe
PID 4424 wrote to memory of 3256	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3256	4424	msedge.exe	msedge.exe
PID 2096 wrote to memory of 5020	2096	go.exe	msedge.exe
PID 2096 wrote to memory of 5020	2096	go.exe	msedge.exe
PID 5020 wrote to memory of 3384	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 3384	5020	msedge.exe	msedge.exe
PID 2096 wrote to memory of 1288	2096	go.exe	msedge.exe
PID 2096 wrote to memory of 1288	2096	go.exe	msedge.exe
PID 1288 wrote to memory of 2620	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 2620	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe
PID 1288 wrote to memory of 3040	1288	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
"C:\Users\Admin\AppData\Local\Temp\ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\1000042001\bf99510ac7.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\bf99510ac7.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2396

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1492

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
4⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86d453cb8,0x7ff86d453cc8,0x7ff86d453cd8
5⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,6416686857303751045,10487167964675331497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ff86d453cb8,0x7ff86d453cc8,0x7ff86d453cd8
5⤵
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,14680589910368342857,9490214011632429740,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1992 /prefetch:2
5⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,14680589910368342857,9490214011632429740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86d453cb8,0x7ff86d453cc8,0x7ff86d453cd8
5⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
5⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
5⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
5⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
5⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
5⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
5⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
5⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
5⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
5⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
5⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
5⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
5⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,3342912940189506014,15134652406999358392,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5452 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\280069375290_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5440

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:5776

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6092

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\280069375290_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5280

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6128

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
f3096a43a3ed2432becb89ae84284459

SHA1
decc20d6705864b0a424c855d7793d06fef0319d

SHA256
c2f12d1c1fb87a66b8078156cd35f4a2421540a08163fa181aeec6bc49ab6400

SHA512
abdb3700c715da463e065cc94f9c6739b861c106718f3d5bf9cb1a6dccc05b137bddbcc243121c5267d870d5a199c0302abbac3a83d9f7089e210d0a1cd9b6ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0480197da6e31de97bba9b9a2d9af171

SHA1
1ff995dd72cd7ea748f61a10ac1fa16324bd5a26

SHA256
686743a8fbd96ecf974c70ecdc294fee8a4b749d4e78f528e2c4e48806e3bf57

SHA512
3b68620d8da43201d353a3e862d75b8034cd4f88f5b4e369832e4ceed0a822a9784c8fea7c6850d734738d40a71d27f4f0b25b50f58a205f6282dbca22df9cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2faac39675e2dca85a5dbd4d1ad6403c

SHA1
e272cc1d6a47fa9b508a365f801603cbe3259248

SHA256
9c44a1cad5c9d2a8f633b0438d035dae5c3bcbed8f25d9678204daa533ad26e6

SHA512
a786fedc3170dc48bf0becee18a7ca7250a5f4d9d339da09b265cd51214d22947a2176473d3c89c4cebbf47ca8130b56db9df5e0439668c14a55e930125bcea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bbfb5c3bda8c43dc837f81f784456ce2

SHA1
a06dc61eb62fde792acf1aac2dc92e2fcf980dd1

SHA256
95b6094a024c6dd2d97b54d48b248ee0d297a87bac874b57ac43b7f72456f25a

SHA512
064abbb68b80da520983f8e238f0fbf1a09178c7f49d8489ac2e9bb31c82aa0ab142b9585c1ac9eeebca612edaf25f642d2fc14848123512fac0c1359626c588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a2c56c764084047c75ac6290fe782a26

SHA1
656ebafb78e142cb6f9082db534991f04e2181f9

SHA256
1ff79c8b102230913dfaaec54336603c383a765eed93523d9f4be34a5e03bf6d

SHA512
81ccb68bae1d810c2556217c2a28be63ea8b4abb7093a4a941ae8f39f5e028d6a66a362c7bac37f7c7abe5de603c0fb1f77341b058f7f15fae27421790ce8eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
586bb29f776039482caa04ab397c0959

SHA1
1c6bedbfd7e8107de52e9f71791dbe310377af01

SHA256
8810489402411c6a95691218f3b5f04b6010e251d802162df21962996f8de7c2

SHA512
a186fc365baf4383d34254d9f96da4bb8105dda70d037de3ae6af6c6bfeb4112f5c651fa72b7c571cd2a83971b345b781d47b45dee65fb1f8d3d9f8439972585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
b52f1363d063eaf0d16b2f0921f8c08e

SHA1
967465853d54c777127d9e7a039166be128db5c9

SHA256
7f88ed147639f32dd5d33aef3785e0ac714a0b5d8ce4b85eaf36088853c8384d

SHA512
2f54fe153babc3ab75a0a53a8c198ab9d30f2fd66ff88046f5ba8ebde92284145997f92a8e6bfee7549860cd1b1c0f225a438a94a775c8c2de6ed882120ef4fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c091.TMP

Filesize
707B

MD5
195d0e78acb89d2c7826dc4f91b21508

SHA1
711e360ddc6aac66c952f58ec672ee1df7c4a949

SHA256
880b739b46faf1c4d34b55ba9936cfcb8026a03f8b2a8e30703324699d0cb56b

SHA512
04661b898e10cb4bf72fcf0e61197dc7c618fb3851e8dfa921c78708e4af4cc1c2c87930d4cffb5ed654f1fae3ced08bdad3288947d47d8c8ea476ed59c68fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fa77dcc4-eec2-46b8-ab79-105ca6e602f7.tmp

Filesize
2KB

MD5
91a8f840dcad644efcf38d564c4b42f7

SHA1
f8a1d20dfdda06adcd9f45eb26e0ac97ca7bcb21

SHA256
b47934e68d922aef1b2a7c8f6ac47eb5dc010d6afcadf4ced85395b2c917bfaa

SHA512
db5c6195e1cddc5c0b70ac1ebe639c97b6705d72ef26eb55cdc9d01772fe928ac4779ead8329a925694b5d5cea54f2112bb7ed337c21d289b417d324cc9ca6c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ee03254cc8215d56e157b693de67737

SHA1
b995bca1302ba624986006e615f9a2b73d0aecc4

SHA256
72a5854f36a30966a92921dc3013d7a6a647f4f8c972eda45fb9a417caa8af4d

SHA512
cd12c7c3639bd22953b2c3e64963eb42f409162dfdf00bbcb589923f466d0c78180bfc7e3ff9358caa1173ba8ce25b43154c4614efe1d4bc5e8294a2b53a00cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
56ef9e8d215e57aa4ff19e0d813d2330

SHA1
1596404bb8fea80a9cd548c6f01887d01f41bf34

SHA256
ec67ba4e716001403b2de81bd089c6fbe0f9f43513c8f1371c8bdba47af29b09

SHA512
22ce26597964f98986b4ef44f747a0b4f170555dc33eaa2d56b9d12f5288a575a6ee514b50c59447998346f663031d690c39d9db99fb66379f54a0231c3378e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
02cf44e51e8effcfb784048a20199a3b

SHA1
eca90ce7bb06745c5071c771b14fa94031890eb0

SHA256
8db04a7150233ee0a9da84029313f7140eaa38b6e18891b4605ed507cea52f32

SHA512
cbd95f1ae609d4f100541dbfe243428ba7421c2ddc234cf8f741ee957c18553979c828642e04e4bf3994be0880b4e407cd787e6a72fc7af18099b3b2d8c93c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec2c1ab92ce438cfdce8c441a4cd787d

SHA1
7806e7d6c5ab88d2135f5b5dabbb0695c041a691

SHA256
b03e67f04f11643c0eee4eea5d47d68091995a50f94feb9cd104e7ebcb954c94

SHA512
8e9fad39aa19f18580e529874c80c99069cdf3d59e7d5514ffb8dc78a967f99010805a9449faa0cbd08b465bc021a75c073b4b0c27acad0366d8ca11e2c85fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3786ef00cda6576286cc80ac6d12626

SHA1
0de8fb7e6c1940396a763731e46d8cab2fa0522b

SHA256
88806739d61b2de835742487f6e7c0c4fda577115574978ab96a4342b7b818d2

SHA512
6c28af9ba4ef0874fac3eb5c80e48344272f3f5c70c9baab01a3055a272ff26900b76da94b41734693707318ee82f092063d929bf088b473835e30bf38bcd6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
9a35e62d8276e34994a6beb80121adb1

SHA1
55bf11eb3f1a4b742e340993ffbd3f1cf019e27f

SHA256
ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e

SHA512
677bcb0f2ba6b7a6abd36ad3f7759192bb4bb88158c4c9b57d27f5249b57c3e2ece6fe4569f48e225a0665bbbd82a47485d8870e054fc1a28c27ecbf86f64ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\bf99510ac7.exe

Filesize
3.0MB

MD5
cb1bbca75a3bcbfb2f40d8ada483f37d

SHA1
82192d7c52c1cbbd944e2cccf0795bb6f8310423

SHA256
ceaefd25ad7b260c2cb6026dcabeeb34eae2cf6110ba8f9a19a197d13731c804

SHA512
1e7277edffce945100ffa8a5023c454c2787c244ddd0964f9b1fcad85394f6ef4548f9d9aeb7e27adb6fe7b950987a04953c1ed5ebdfc2110dfd14c43e1821a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

Filesize
1.8MB

MD5
110d28ea1f4b9b3bdf8df3de777c693d

SHA1
4c94c834a8ee46a277c8a9da066e062c41c1d1c8

SHA256
d9a03ce734159b193c74fb0169867dd08d7b56f0b8886b46c28f67defd912463

SHA512
bb177fb9fbf9cfdedb481b39d17bc95eb17479cdce86a098339ccb248a558aa4bcea9795462c91e94879d05ceff44449c98b437af5502666365d24d7ac98f678

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thm54f4s.3v0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\LOCAL\crashpad_1288_FKTWBKRZEFJTCPHD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1492-62-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-77-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-60-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-63-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-64-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-65-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-66-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-67-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-68-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-69-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-70-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-71-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-72-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-73-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-74-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-76-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-75-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-61-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/1492-78-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-56-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-87-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-88-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-89-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-97-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-435-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-100-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-110-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-111-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-116-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-117-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-99-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-118-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-119-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-122-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1492-439-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/2300-470-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2300-448-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2300-451-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2300-453-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2300-454-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2300-452-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2300-455-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2304-3-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2304-7-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2304-8-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2304-9-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2304-10-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2304-11-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x00000000007D0000-0x0000000000C76000-memory.dmp

Filesize
4.6MB

Download
memory/2304-23-0x00000000007D0000-0x0000000000C76000-memory.dmp

Filesize
4.6MB

Download
memory/2304-5-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2304-6-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2304-4-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2304-2-0x00000000007D0000-0x0000000000C76000-memory.dmp

Filesize
4.6MB

Download
memory/2304-1-0x0000000077846000-0x0000000077848000-memory.dmp

Filesize
8KB

Download
memory/2396-532-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-462-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-55-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-53-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-617-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-613-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-603-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-571-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-562-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-555-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-492-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2396-225-0x0000000000D60000-0x000000000111A000-memory.dmp

Filesize
3.7MB

Download
memory/2872-24-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-471-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-28-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2872-27-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/2872-615-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-25-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-612-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-573-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-26-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/2872-564-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-556-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-387-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-544-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-34-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/2872-58-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-33-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2872-511-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-32-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/2872-199-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download
memory/2872-30-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/2872-31-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2872-29-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/5328-342-0x0000021C52BF0000-0x0000021C52BFA000-memory.dmp

Filesize
40KB

Download
memory/5328-198-0x0000021C52C50000-0x0000021C52C60000-memory.dmp

Filesize
64KB

Download
memory/5328-355-0x00007FF86B630000-0x00007FF86C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/5328-214-0x0000021C52C50000-0x0000021C52C60000-memory.dmp

Filesize
64KB

Download
memory/5328-181-0x00007FF86B630000-0x00007FF86C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/5328-201-0x0000021C52C50000-0x0000021C52C60000-memory.dmp

Filesize
64KB

Download
memory/5328-200-0x0000021C52C10000-0x0000021C52C32000-memory.dmp

Filesize
136KB

Download
memory/5328-341-0x0000021C52EF0000-0x0000021C52F02000-memory.dmp

Filesize
72KB

Download
memory/5440-440-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/5440-446-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-481-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-531-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-441-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/5440-436-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-614-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-545-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-601-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-445-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/5440-444-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/5440-616-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-563-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5440-443-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/5440-442-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/5440-572-0x0000000000F30000-0x00000000013E1000-memory.dmp

Filesize
4.7MB

Download
memory/5776-274-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/5776-281-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/5776-273-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/5776-262-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/5776-258-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/5776-328-0x00000000008B0000-0x0000000000D61000-memory.dmp

Filesize
4.7MB

Download
memory/5776-209-0x00000000008B0000-0x0000000000D61000-memory.dmp

Filesize
4.7MB

Download
memory/5776-247-0x00000000008B0000-0x0000000000D61000-memory.dmp

Filesize
4.7MB

Download
memory/5776-280-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/5776-321-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/5776-324-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/5776-279-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/6128-611-0x0000000000EA0000-0x0000000001346000-memory.dmp

Filesize
4.6MB

Download