amadey | efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
31/03/2024, 09:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
Size

1.8MB
MD5

4a6648001597e18b66583a0cb4acf0a3
SHA1

216214d33e9e6ab1f40649cfc1647abc30f91ed3
SHA256

efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd
SHA512

896f3da600061f7c264ea175fa1d04271feddae66993f9db6690509348916e2c05df1c2117209909bf433c31ad5eb8aac438d148c6495c18be8a11e55516ca9f
SSDEEP

49152:1C9J/8G7mO5SRh5Nxdu5WEWIh3nIG3ik8:KZ7h5S35Nxg5phh3nIG3h8

Score

10^/10

amadey risepro discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	edb42282e2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
42	5512	rundll32.exe
57	5364	rundll32.exe
58	5548	rundll32.exe
59	3692	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	edb42282e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	edb42282e2.exe

Executes dropped EXE 9 IoCs

pid	Process
3992	explorha.exe
244	edb42282e2.exe
2200	go.exe
3596	amert.exe
5928	explorgu.exe
5964	explorha.exe
5272	swiiiii.exe
4076	explorha.exe
2608	explorha.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	edb42282e2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

pid	Process
5456	rundll32.exe
5512	rundll32.exe
5364	rundll32.exe
2560	rundll32.exe
5548	rundll32.exe
3692	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\edb42282e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\edb42282e2.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000025c82-58.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
5044	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
3992	explorha.exe
3596	amert.exe
5928	explorgu.exe
5964	explorha.exe
4076	explorha.exe
2608	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5272 set thread context of 5380	5272	swiiiii.exe	117

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	5272	WerFault.exe	115

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
5044	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
5044	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
3992	explorha.exe
3992	explorha.exe
3720	msedge.exe
3720	msedge.exe
1320	msedge.exe
1320	msedge.exe
2296	msedge.exe
2296	msedge.exe
864	msedge.exe
864	msedge.exe
3596	amert.exe
3596	amert.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5512	rundll32.exe
5712	powershell.exe
5712	powershell.exe
5712	powershell.exe
5928	explorgu.exe
5928	explorgu.exe
5964	explorha.exe
5964	explorha.exe
3808	msedge.exe
3808	msedge.exe
5380	RegAsm.exe
5380	RegAsm.exe
5380	RegAsm.exe
5380	RegAsm.exe
5948	identity_helper.exe
5948	identity_helper.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
4076	explorha.exe
4076	explorha.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
2608	explorha.exe
2608	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeDebugPrivilege	5124	powershell.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2200	go.exe
2200	go.exe
2200	go.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2200	go.exe
2200	go.exe
2200	go.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 3992	5044	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe	77
PID 5044 wrote to memory of 3992	5044	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe	77
PID 5044 wrote to memory of 3992	5044	efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe	77
PID 3992 wrote to memory of 244	3992	explorha.exe	78
PID 3992 wrote to memory of 244	3992	explorha.exe	78
PID 3992 wrote to memory of 244	3992	explorha.exe	78
PID 3992 wrote to memory of 3980	3992	explorha.exe	79
PID 3992 wrote to memory of 3980	3992	explorha.exe	79
PID 3992 wrote to memory of 3980	3992	explorha.exe	79
PID 3992 wrote to memory of 2200	3992	explorha.exe	80
PID 3992 wrote to memory of 2200	3992	explorha.exe	80
PID 3992 wrote to memory of 2200	3992	explorha.exe	80
PID 2200 wrote to memory of 1320	2200	go.exe	81
PID 2200 wrote to memory of 1320	2200	go.exe	81
PID 1320 wrote to memory of 3512	1320	msedge.exe	84
PID 1320 wrote to memory of 3512	1320	msedge.exe	84
PID 2200 wrote to memory of 584	2200	go.exe	85
PID 2200 wrote to memory of 584	2200	go.exe	85
PID 584 wrote to memory of 4816	584	msedge.exe	86
PID 584 wrote to memory of 4816	584	msedge.exe	86
PID 2200 wrote to memory of 1400	2200	go.exe	87
PID 2200 wrote to memory of 1400	2200	go.exe	87
PID 1400 wrote to memory of 4376	1400	msedge.exe	88
PID 1400 wrote to memory of 4376	1400	msedge.exe	88
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89
PID 1320 wrote to memory of 2444	1320	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe
"C:\Users\Admin\AppData\Local\Temp\efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\1000042001\edb42282e2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\edb42282e2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:244
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:3980
- - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
    "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd8
        5⤵
        
        PID:3512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
        5⤵
        
        PID:2444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
        5⤵
        
        PID:784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
        5⤵
        
        PID:984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
        5⤵
        
        PID:4348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
        5⤵
        
        PID:3588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
        5⤵
        
        PID:2368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
        5⤵
        
        PID:6136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
        5⤵
        
        PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
        5⤵
        
        PID:4884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,11834608163085293966,4379464511238456192,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5572 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd8
        5⤵
        
        PID:4816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12086843639660433796,5420664097396008513,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,12086843639660433796,5420664097396008513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd8
        5⤵
        
        PID:4376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,2106989077794314100,6943294697684206948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
- - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3596
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5456
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5512
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5928
- C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 884
    3⤵
    - Program crash
    PID:4908
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:2560
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5548
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5124
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3692

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5272 -ip 5272
1⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
126b49323b64ebaa78acbbfdb6e03486

SHA1
7f287914b0d0e7f007fc6434d3b03acabab2a818

SHA256
cd07cafa26eb61104dba6b1f44282aed127ed633a18c4d91da8c2a03ca589044

SHA512
0d57c4e5c390840a77495d1e9ae97b1e1790f5fcc1bd0f913978df969acd7c156cb778556f4f454069d864ec150038ef4ed0611f5dd8fdcfb7a52099f04610df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3da61cb145a24e2717d71b97476e94d7

SHA1
ad2f84d4406c262e519b50eec86e3b610be63625

SHA256
941f5602337e13087f6d51ed51d672fe30b33a5cec5284f2f391e5012d4bffd8

SHA512
bacc12dff6758661817805da724f14900c757af5c78e17703d77e320efa612d06c0da75b88d0a18c65cf387071a0715d1f20d8f3d1fac7d858c9048b417730eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
784b5080c6ffcbf30d0050628a741359

SHA1
1d6624a8cda0c446af899a5e327391f8124b59ae

SHA256
e7e509b5165fe2644d4cc7e8de635077408dde3a731a6ad26fae51c6590b338b

SHA512
029845351842b2497a5c9eb287706c344dca9915ca1e5b2656831b2da479bbee0b33545c9a449751e8f7fc6b92b0c923d40304c3ef4ed892b91edeb1ac6cbd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
45885ef36ecc3d56538afee715b8d052

SHA1
c0f591c27d3a8ac27d9f09bcb98577acc6931a5d

SHA256
3e7252f90c8cee4038a3f2de25a61661752a47b0ef0624a96ca95695145e962f

SHA512
24eb09fbf5847ba1eb2ab6ccac5eb669acf57b6abab33a905a22d2aac3b7fee1ec3629f25b89badbf177b096fc85c29ebd053f145536305bb45530507c474768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7cf278066c37c6a8e2c7b1f7ba863ecf

SHA1
c05a9138749fee4bce595860185abae8ca069445

SHA256
f24f8b525aa5d7469e1d74c3acdca843baff96617b7f3c8a800cc60d1468c0a0

SHA512
9989ad65b3ba1efc2e1203a8dcb574a7d3ce8898ade0bdd6fc3cadaa3f6d9b38938bb5d6fc4ef015d124e441a20c32d4bb4a7b8809f91c94f5cbb4662cf7b8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
e66f9fb4df63d286fe6dd2c3adc06e69

SHA1
c167b4cce205c3ffb81ed04a38290e24fa9bbf12

SHA256
c3225e9ebd67bf767d5b9eee64d744a54fe0126c1a87919d7b896873343c8570

SHA512
5ee79182740bdd4999949d0611e7e7fec9a17f7975ea0d4dfdf75e541424705c3e15e5f311480532b99787af1913a345b730b73992e9a258f63b90ecde6e7d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
872f45249a760f8077a9122356ae3c1b

SHA1
da1ce6a9452065572b83daaa6e4bbecd9a834d6a

SHA256
5c17c0022858fa8cfc8769d95a58791f9c020c96a5bfe94221013c67cf0a2f25

SHA512
1f5b9c99a05805813e1804f3437a4c9efbf875ca266af0aff769d6ab84925dd928cd148aa4d720725cdede9e3ff4e1d1e997e5dd0856954376ff92a1458b7956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
379d2396b02506f9bee5cdc60a7ee9d7

SHA1
d9988714abb18002911ec4e47d0b88533ed7f000

SHA256
fc54dbc7a1e15013dcdc91cf5528e4fe2b4866d5a7c4af4d9baacc54d479f953

SHA512
d429b18f8642530bf56c4a359890724211f3e78868860f897f06423c7d026fed7fd98cf750d7884302e64e95ba3ffe4996db5f7a23771c36a21f39c104ca0def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
96ac73fbee45bf8ce8c684b55510155d

SHA1
eb4d14122e008e982723e99a3426b257df807e42

SHA256
03869ee6c6211b75897247061e80ba0a105b585885b096ffdf6423b963be1eec

SHA512
6a807aa49dc1439fb0d860d3dee8477372f88ff6fd9446a2ddc62a02f37663ad6f05240795599e961c9dc0a5945b14e698142fd0d74174c2fb065cc899443bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f0c8.TMP

Filesize
707B

MD5
1fd6348a4d737fe679ee638475a592c4

SHA1
2e310d1d62f2f37d79b9f098d5167fef942869f1

SHA256
276aee1c1972e1f79e407d57b4577c95587f50203c9517200673bc64f287c903

SHA512
5a556310fe596794e505473b55576a2546f4e67393bb2acdaf87a6b679408119e3948c7d256086fd78d101a26b01d62db0f39c862f3cc2f50ff475065f328687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e796261b90df4d9b7ef0f45c11e0aff8

SHA1
5312a4cc4c32500daca17b7f55b4c00a6ead2726

SHA256
7c10fb8710be3867b49ae12eb5451bfa64f740bbff99c803cb69df70baf49686

SHA512
31d5041362b8f9b831f30f4aea4959e03c014738ebddcb1c8f9dcb06d70c72378ac563926c2f9ea8a56965c9fc7b1e56eb9e1210fa3d516fe12bb54973592c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
741a462a21f39cb8ab95401d5e99bda9

SHA1
46355a38142837036627972e1c13b8f9b4e4baa3

SHA256
3089d02ae53fe4e8df16bb43dd38f0fc2e1eeec7e818ae6d206bdedc05f1c5a3

SHA512
347466eaf59515909080eac246e0f836a39f46a1eb4301f87643c61663bcd3709b8ce98d95f6d7695905451aea04666f40711996fba3486654e2ab02fe7d0e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0e89a9a3d0a23a051614957ef772cfa0

SHA1
f6b1f8b1404e895ae7ca1eb4d38b7e4235acfc2c

SHA256
092f363dd74e4f42da65103b3fc8c56ce67041e5517921cb12f4d8f51b05f816

SHA512
feb9dfa099da288f06879ab00e2c7a62b321bb0cf5b41a6c3c97a5ea717c0439ee04bed7e3704a5ccbde762536136fe425d292f56740c9e6e720deda710b360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85b9cc9025322c39ee862e74568559fe

SHA1
100c4c6c0b341a09d8ebcc471bb326a12e700997

SHA256
861fa36fed0da433242f961cd6b05a01b6f6f1f04ab2c9555cfc357469e57951

SHA512
e88cb9995edd0f0ef57d77798c0d949a287b7b92f430e669cfd55197395f9a7298081aa49aef4f0f315845d524c139774ebb2f8e83261f9c731e033671bf3cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
4a6648001597e18b66583a0cb4acf0a3

SHA1
216214d33e9e6ab1f40649cfc1647abc30f91ed3

SHA256
efc5b78dc1faef417f45e206f67d65c4677d63201b3327fc602af5e2265ad9cd

SHA512
896f3da600061f7c264ea175fa1d04271feddae66993f9db6690509348916e2c05df1c2117209909bf433c31ad5eb8aac438d148c6495c18be8a11e55516ca9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\edb42282e2.exe

Filesize
3.0MB

MD5
26d0336cc3c3c26c17077939217bf28a

SHA1
e8368f585d0cc9ba833f360f198f345b86cac8c8

SHA256
a5a890e90b0628860bd8e36b86a12475ed4e42387117db7b856dfdb88b7f0e72

SHA512
59cc78a512c19add25ca1ffa4670abe99b6c20053b6c26f7624f1a285e167a6b3993a48c362cfdc2552e0431542678bfcfc43e4ccbd573c632a7af670b26c992

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

Filesize
1.8MB

MD5
f0b66b6dbd4b08e9c5daf536f73dba5e

SHA1
800212cd4edf77c4e3b4fdafd18afd8ea74be90a

SHA256
92b1d3003f2bdef59d186e119ab89bb38fff0d1eff554172618bef186dae17e1

SHA512
b79f9e1f7f279a2e162405644eca2f67150d789705ff744f49e9dac15abf643428002a85ae0d0c3fc88c13d7088ab4cf8368d623296245340cdaedae497399a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edg1h1aa.soq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
memory/244-752-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-658-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-776-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-759-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-755-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-52-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-350-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-51-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-594-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-771-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-672-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-749-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-799-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-684-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-695-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-705-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/244-366-0x0000000000A30000-0x0000000000DE7000-memory.dmp

Filesize
3.7MB

Download
memory/2608-786-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3596-235-0x0000000000610000-0x0000000000AC4000-memory.dmp

Filesize
4.7MB

Download
memory/3596-309-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3596-311-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3596-266-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3596-268-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3596-262-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3596-258-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3596-255-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3596-273-0x0000000000610000-0x0000000000AC4000-memory.dmp

Filesize
4.7MB

Download
memory/3596-318-0x0000000000610000-0x0000000000AC4000-memory.dmp

Filesize
4.7MB

Download
memory/3596-254-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3596-263-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3992-27-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3992-31-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3992-24-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-703-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-26-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/3992-694-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-25-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3992-734-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-673-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-28-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/3992-670-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-30-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3992-29-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3992-415-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-32-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3992-142-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-308-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-642-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-251-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-23-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-751-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-754-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-757-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-760-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-774-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/3992-787-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/4076-715-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/5044-22-0x0000000000660000-0x0000000000B24000-memory.dmp

Filesize
4.8MB

Download
memory/5044-3-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5044-10-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/5044-9-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/5044-1-0x0000000077206000-0x0000000077208000-memory.dmp

Filesize
8KB

Download
memory/5044-2-0x0000000000660000-0x0000000000B24000-memory.dmp

Filesize
4.8MB

Download
memory/5044-5-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5044-0-0x0000000000660000-0x0000000000B24000-memory.dmp

Filesize
4.8MB

Download
memory/5044-4-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5044-8-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5044-6-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/5044-7-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5272-389-0x0000000000950000-0x00000000009A2000-memory.dmp

Filesize
328KB

Download
memory/5380-396-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5380-393-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5712-334-0x00007FF9C4F00000-0x00007FF9C59C2000-memory.dmp

Filesize
10.8MB

Download
memory/5712-335-0x0000017AD8FA0000-0x0000017AD8FB0000-memory.dmp

Filesize
64KB

Download
memory/5712-330-0x0000017AF12B0000-0x0000017AF12D2000-memory.dmp

Filesize
136KB

Download
memory/5712-336-0x0000017AD8FA0000-0x0000017AD8FB0000-memory.dmp

Filesize
64KB

Download
memory/5712-337-0x0000017AD8FA0000-0x0000017AD8FB0000-memory.dmp

Filesize
64KB

Download
memory/5712-338-0x0000017AF1540000-0x0000017AF1552000-memory.dmp

Filesize
72KB

Download
memory/5712-339-0x0000017AF12A0000-0x0000017AF12AA000-memory.dmp

Filesize
40KB

Download
memory/5712-345-0x00007FF9C4F00000-0x00007FF9C59C2000-memory.dmp

Filesize
10.8MB

Download
memory/5928-706-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-770-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-354-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5928-352-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-800-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-595-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-348-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-368-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5928-369-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5928-683-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-750-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-777-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-353-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/5928-753-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-355-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5928-671-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-756-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-356-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/5928-758-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-358-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5928-357-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5928-657-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5928-696-0x0000000000B30000-0x0000000000FE4000-memory.dmp

Filesize
4.7MB

Download
memory/5964-359-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/5964-360-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/5964-361-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/5964-362-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5964-367-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/5964-363-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/5964-365-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/5964-351-0x0000000000770000-0x0000000000C34000-memory.dmp

Filesize
4.8MB

Download
memory/5964-364-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download