984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

Resubmissions

22-10-2024 00:01

241022-abbvhawflk 10

21-10-2024 23:58

241021-31jwmawelj 8

21-10-2024 23:55

241021-3yrhpatgka 6

Analysis

max time kernel
132s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

2.3MB
MD5

215d509bc217f7878270c161763b471e
SHA1

bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256

984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
SHA512

68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b
SSDEEP

49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in

Score

8^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
652	Rensenware.exe
3128	Rensenware.exe
1668	Rensenware.exe
3456	Rensenware.exe
3020	Rensenware.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
3	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Rensenware.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe

Checks processor information in registry 2 TTPs 35 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 237530.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Rensenware.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2188	vlc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2836	msedge.exe
1864	msedge.exe
2836	msedge.exe
1864	msedge.exe
1452	identity_helper.exe
1452	identity_helper.exe
4800	msedge.exe
4800	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	2392	dw20.exe
Token: SeBackupPrivilege	2392	dw20.exe
Token: SeDebugPrivilege	4756	WaveInstaller.exe
Token: SeBackupPrivilege	2136	dw20.exe
Token: SeBackupPrivilege	2136	dw20.exe
Token: SeBackupPrivilege	4328	dw20.exe
Token: SeBackupPrivilege	4328	dw20.exe
Token: SeBackupPrivilege	2344	dw20.exe
Token: SeBackupPrivilege	2344	dw20.exe
Token: SeBackupPrivilege	4548	dw20.exe
Token: SeBackupPrivilege	4548	dw20.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2188	vlc.exe
2188	vlc.exe
2188	vlc.exe
2188	vlc.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2188	vlc.exe
2188	vlc.exe
2188	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2612	2836	msedge.exe	83
PID 2836 wrote to memory of 2612	2836	msedge.exe	83
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1648	2836	msedge.exe	84
PID 2836 wrote to memory of 1864	2836	msedge.exe	85
PID 2836 wrote to memory of 1864	2836	msedge.exe	85
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86
PID 2836 wrote to memory of 3340	2836	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbdd8f3cb8,0x7ffbdd8f3cc8,0x7ffbdd8f3cd8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,16613057419657870112,7309508440184617026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Users\Admin\Downloads\Rensenware.exe
  "C:\Users\Admin\Downloads\Rensenware.exe"
  2⤵
  - Executes dropped EXE
  PID:652
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 856
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2304

C:\Users\Admin\Downloads\Rensenware.exe
"C:\Users\Admin\Downloads\Rensenware.exe"
1⤵
- Executes dropped EXE
PID:3128
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 804
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2136

C:\Users\Admin\Downloads\Rensenware.exe
"C:\Users\Admin\Downloads\Rensenware.exe"
1⤵
- Executes dropped EXE
PID:1668
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 800
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4328

C:\Users\Admin\Downloads\Rensenware.exe
"C:\Users\Admin\Downloads\Rensenware.exe"
1⤵
- Executes dropped EXE
PID:3456
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 800
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2344

C:\Users\Admin\Downloads\Rensenware.exe
"C:\Users\Admin\Downloads\Rensenware.exe"
1⤵
- Executes dropped EXE
PID:3020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 800
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:336

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\DisconnectMove.vbe"
1⤵
PID:2996

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeSelect.AAC"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
43c2677c28b03678b1b7d4b8d4110a6c

SHA1
d69c1bd8e0f27c9f998032e2080627f0b6d53899

SHA256
965a628bb8f193774a77093c97e0503a9e2e0e2b2f813cc15afe2b4ea5d7eb3c

SHA512
111bac6e7fde470c0a466a13774ee8bbaaf82d6e8d4bc10fa6a9804cfbd49dc482ad883d99fce9b6271376678b591b0719a43e6b280d06afa9a6800cb26f82df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
cfffc936927ee9193b82100a54f3da00

SHA1
c16757c7afb25c1ea57d749dc06ecf77a6670d39

SHA256
08147e2758413b729978373456c802e7c0c8abe5fcb8f14377befd41f0b192ce

SHA512
0643492e1f5004a7336136a976a295a90d711edce4c99264f1f54c4880420a2e382599787c53c0928601e35ab826c592f49e3d1d5fbe6d36019aa33c88ad22f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7ce2202373403f800bf9cf06955b603

SHA1
75f5f1935827a76d28766b5448ec75a9ccd4211e

SHA256
65160b421776771bbde5a96d16a596b08f7dc126801ff5d5f680713e21675564

SHA512
32f14f2db406281412620dff637cb42a190ac64c3fe85ffc1a93ce2575cf539fba76757cfc82a790e08aea8b5251b8c0861c12c5b40bbbcc5158e2b960022906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a24eaa5641d2c878f29a739a2a13578e

SHA1
7142cd540a70fb2d25ba644d4adde490b0532073

SHA256
9af3b4b71f9495cccc900df7968bfaea471089357e9d1043606fd82a8097bb85

SHA512
bef37e4ea0ec2c10073665ea84fbcb1ff8e3bb3debf6a77a4286cc1d1a6bc45ee8c0132efb8f0bd61c6b2cd5c6886fecbd4fc54aad6fb38577d20be7106fa16a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b5ea192b5dd032f0e1000106ff1e0cf

SHA1
27a38a9a296263e3e693512ed582ef5fd9afd33b

SHA256
3751b0e39a41229bb73a7443a4a9eea8953fb3cb9f80d0ea44268ef2201871d4

SHA512
bb0c91d78f23af880200fab0d02d30965cdf5f1439e681495d74cdfd414f858915e494bcd647c7d8ea8ee713bf8eea5f7acfa62cb23b404081b9d60add256748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8faf54c76557cbc186a7ab3de7fa1d2

SHA1
400751271b1b7108751b17453bcecb1e839f447a

SHA256
829d53d3c1f04e913ab2ad1bf9ad1613df0c97062114886e79911bb6e5e5253a

SHA512
28f46b026e73f72ac6c425d03a07ab34c05f6e23659639b768bc4daa5b3631b98735734b6b4e15122849e3691af6efb661e64555508af746252fe854a4ad9d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
09b951c12bdb6df5a9ac696ad1baafca

SHA1
933e75c6f99721df477cf4f6767455fd9f4b7b5d

SHA256
956306397898729afb8bb1850fd0b97fbfe028bcd92d3d73b4aefe6c31aa1e8f

SHA512
26d8dcea3e04e3fd17f8cabff0aef543fe4b624014e0150b4eea0890c0019ed0cff3e69922377d6d0b7eefefd797e035823612bb5a69d3bc2f1bc4374a6edea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3d2de91a6ebbbdf2f700486fe71c9676

SHA1
273136864d26f1eb75850c5379c29bcfb84ce1de

SHA256
269526251a07748e8b2dc5473761c6acc12c0443ef7d4c1b4a59036b4c6be2c5

SHA512
83805d0f637ec934d1585cfd7baa9d6fdd909d94393b62ff65e60edee76e16ba8cdc644908f0ddea6d9df6fb32a789e1e089c928372b367059a10a3d8a676ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581eed.TMP

Filesize
1KB

MD5
b60a048ad13393599279b6e61ea684ca

SHA1
96c322cfa5c056e22df5b349fe468131d8748683

SHA256
42ba15fc5fa8d083c35b3daac54778d0444931ee5a2d0d84c721ff32772d7ab7

SHA512
03455ffd7e0fd37a5bff1c4f0fd1b80ca4ad4b86fa9d4e681f4632f30d408b2052a1dbcc54e8e464dc0f0bbb6c91fc1869d3e832db80eff3899b48c76f97915a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90fc84a3fb02c4cb61941f897727c3ab

SHA1
ac16e787b13f1e1ac06b58430b055cfbf1ddb3b5

SHA256
fcbc563fc78ff42443cbdf5645239b7ac38066f3033e56920f585af4ab736341

SHA512
e279449c0aceeda5a71fe4e75edc9fa30d73df1a11c0eb78e9c2b4c9db0ca9bd8f86f93ee978447d77010f690b8e47ada2d8037eb2d1195dc0675aed0f9cc325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d9ae6efae1733816c76e999f2013eaa3

SHA1
910673c878160203c0d43ebad160a8f1c669b65d

SHA256
882fb629e3a0f1cd24cabc23e87ec8e5d0bbf3c23d85757934f2ba5b18be09fc

SHA512
8128e15b44cbcf6228f849da2e879284525458ecc03440ddb148a14b50cedf5236952f21e74653bfa3dd9862566df6a6ff518bfa0086e7614146fa3e7e7f8bef

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\30d9ecc1-874f-470e-a2b4-cf845f5ce9c9.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
495df8a4dee554179394b33daece4d1e

SHA1
0a67a0e43b4b4e3e25a736d08de4cec22033b696

SHA256
201263498c60fa595f394650c53a08d0b82850349123b97d41565e145ddf2f42

SHA512
ce3bef1038741f7a0f90cc131a4a1883fd84b006654024d591f5451e73166b4cae546e307c358b5b90aa0e6517bf7b6098f1f59a3ecc01598d4feb26e6b6af33

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 237530.crdownload

Filesize
96KB

MD5
60335edf459643a87168da8ed74c2b60

SHA1
61f3e01174a6557f9c0bfc89ae682d37a7e91e2e

SHA256
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

SHA512
b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb

Download Submit
memory/652-376-0x000000001B410000-0x000000001B4AC000-memory.dmp

Filesize
624KB

Download
memory/652-375-0x000000001B9E0000-0x000000001BEAE000-memory.dmp

Filesize
4.8MB

Download
memory/2188-565-0x00007FFBEF020000-0x00007FFBEF054000-memory.dmp

Filesize
208KB

Download
memory/2188-566-0x00007FFBDB7E0000-0x00007FFBDBA96000-memory.dmp

Filesize
2.7MB

Download
memory/2188-567-0x000001B0A4840000-0x000001B0A58F0000-memory.dmp

Filesize
16.7MB

Download
memory/2188-564-0x00007FF784210000-0x00007FF784308000-memory.dmp

Filesize
992KB

Download
memory/4756-3-0x0000000074A50000-0x0000000075201000-memory.dmp

Filesize
7.7MB

Download
memory/4756-547-0x0000000009680000-0x000000000968A000-memory.dmp

Filesize
40KB

Download
memory/4756-541-0x0000000001170000-0x0000000001206000-memory.dmp

Filesize
600KB

Download
memory/4756-542-0x00000000012E0000-0x0000000001306000-memory.dmp

Filesize
152KB

Download
memory/4756-543-0x00000000058E0000-0x00000000058E8000-memory.dmp

Filesize
32KB

Download
memory/4756-545-0x000000000A9F0000-0x000000000AA62000-memory.dmp

Filesize
456KB

Download
memory/4756-546-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/4756-52-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/4756-118-0x0000000074A50000-0x0000000075201000-memory.dmp

Filesize
7.7MB

Download
memory/4756-10-0x00000000097F0000-0x0000000009828000-memory.dmp

Filesize
224KB

Download
memory/4756-11-0x0000000006000000-0x000000000600E000-memory.dmp

Filesize
56KB

Download
memory/4756-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/4756-2-0x0000000074A50000-0x0000000075201000-memory.dmp

Filesize
7.7MB

Download
memory/4756-1-0x0000000000680000-0x00000000008CA000-memory.dmp

Filesize
2.3MB

Download