51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

Analysis

max time kernel
196s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RippleSpoofer.exe
Size

15.6MB
MD5

76ed914a265f60ff93751afe02cf35a4
SHA1

4f8ea583e5999faaec38be4c66ff4849fcf715c6
SHA256

51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
SHA512

83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac
SSDEEP

393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RippleSpoofer.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RippleSpoofer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RippleSpoofer.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1480-7-0x0000000000DE0000-0x0000000002A60000-memory.dmp	themida
behavioral1/memory/1480-8-0x0000000000DE0000-0x0000000002A60000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RippleSpoofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
60	discord.com
63	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1480	RippleSpoofer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	RippleSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{75809EB7-1411-4909-8541-AEB8DDC25FB5}	RippleSpoofer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{6DAB8BC6-63F2-4538-B2CB-44FAFCCC61E0}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	msedge.exe
2200	msedge.exe
4028	msedge.exe
4028	msedge.exe
904	identity_helper.exe
904	identity_helper.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
5228	msedge.exe
5228	msedge.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe
1480	RippleSpoofer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	RippleSpoofer.exe
Token: 33	3824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3824	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4028	1480	RippleSpoofer.exe	92
PID 1480 wrote to memory of 4028	1480	RippleSpoofer.exe	92
PID 4028 wrote to memory of 1064	4028	msedge.exe	93
PID 4028 wrote to memory of 1064	4028	msedge.exe	93
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 3228	4028	msedge.exe	94
PID 4028 wrote to memory of 2200	4028	msedge.exe	95
PID 4028 wrote to memory of 2200	4028	msedge.exe	95
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96
PID 4028 wrote to memory of 856	4028	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718
    3⤵
    PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
    3⤵
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
    3⤵
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
    3⤵
    PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
    3⤵
    PID:704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8
    3⤵
    PID:5220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6152 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
    3⤵
    PID:5396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8
    3⤵
    PID:5848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
    3⤵
    PID:5328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
    3⤵
    PID:3500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
    3⤵
    PID:6112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1492 /prefetch:1
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6628 /prefetch:2
    3⤵
    PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU
  2⤵
  PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempAppFiles\cleaner.bat" "
  2⤵
  PID:1560
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3460
- - C:\Windows\system32\mode.com
    mode con: cols=70 lines=18
    3⤵
    PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx
  2⤵
  PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718
    3⤵
    PID:5320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
827KB

MD5
fe192be72a7f010f687779df8e76fc02

SHA1
880d592c372207f7c575e96498494026cb9f49a5

SHA256
d0c8a0b0e0b4ccc02aa259eb93d4078ca2002a4b1dc1ee28222f609e6638adb8

SHA512
dbf33c9d94b8c8155fa089eec9d3e589fd54be16a7343f8c1bc9e777c4002ab9751a8c1e90ffac67418e94fa423691f3963b8f743df221acbb5319cc2644830e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
1024KB

MD5
26b9ea94b02bdc57ae7b3cd8151b6f29

SHA1
34b21217c43084e3a16a9dab23bdb935150891b1

SHA256
cd88d8151802ee864080bfa768a6f58bce5b654846efb89fc9d3f1a10acab22a

SHA512
c2c7f4268a023db891cc0c6313085995b340347079a926fac2c4474ef40aa4fc128760078215ceae1d6df9b59bb77891910712fb1b0e48b7240fc88e85f52842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
5d40717635ff5caa866d98ab3d4cbade

SHA1
3d8ebc391a1249975f019567b3fa173d4bcd4429

SHA256
b6a70b2139f14c471d7839971acd005a7a976f99aed4a2f2dcb785023f0a76fb

SHA512
406d08957136db6269859ea06d6fa49b5d1535b36096881b24446d7c0bc258ed6eceddb624f1fd58452045af4f9d2c9523a3c29f43faf348771a0c072ed0e84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a026022a1eb610b9e54ea896aaad1755

SHA1
700f99ae74526a23236062e75bda3af0e5880911

SHA256
c35d43b124a667e4d0c19695b00e25dd17c3ddeaea145e560190fbdcfddcb2c8

SHA512
1c2c15e08c9d0954fbb370e30717dc3f472e5be3d10c0f35b6d9ac8e9c9e3155695226332de2b128a68b4c004eba84994447368a8f9daba5d8e905567ee1b052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
682B

MD5
a275d3b7f842ab5b89b7475a45aac370

SHA1
c47d34ba31fc4ea59d3d84e87aa4864e571dbe39

SHA256
3e677dcd7a54d6611d9b4a4a59342b9c34eba4a21f1a5a5434153fdd762c059e

SHA512
20e70554bcbdb2a9386e8702cfb6d67ecfea4f196efb4f681b9baeb3d79f929c2f3358a83600929abd27537fc4a682f2b214c795b1f8a4e810d82e6bdbe002e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
af62db1f7d850a806a055986b1c35c41

SHA1
fa5030ab4f575ac816adf9e929f1863716d2604d

SHA256
b34d600ad80cb5abe41b9566dd9a3123635dbc35b870107ee02914c7c48bd592

SHA512
abf770f262d629ee223b9da134bc888f303d76b652debb18f0338b5434291c7f1e7209972734a031324dc8e57228a7d5d79adef2240f5cd76576052cd1cc0dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f51895773e83275d41ed2d6d993fb623

SHA1
c7cee0a33d5e16cc588efe9b2061666f69ea1b7f

SHA256
798ca7552cff8ca7c5250f6960a5554f90ede01bfc371478bbc18044a3ed5cbd

SHA512
f7e7a9e53a01e7efae27101cb211e0939e817af2e426a98e4edbca89f26b36f1169fbb2a0c615ca003b60e9a56292a55fdf09216f5b9cc20441eb74a068d5345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
15d8e69db128404a0f21fd6f50d4c474

SHA1
dff351e9dbd6222c26a258939d6d1085b5e56b7c

SHA256
f1dfc410db9ff45667a27eb870b1346d858f58fa54ffc9ab06569dcb26efa205

SHA512
4190949ae8d86790d871e85c7119159d8151961f371388fd0625e25dffac8965b8a3f7495ec9ca3254ba3ab748550e55c652d4966010d9f6d40ce9f175535ca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1b0a8f7ee3700f574331e103ffd12bda

SHA1
ae1818d748336819bf08249baa6a22d385b1fbb1

SHA256
8bfc3fd2e8d6aefd3711e6087360624613bdf2ad007f0971556695fdeff647b3

SHA512
ee6fe625b3eb08f2e494d11f8f2f6758b7067bf2c7a9b9aa386e8ef71765f3364ea8417129e32fa9528f4fe08bc6b5b252e52b8bb645da5b8c2dba2fb049fc58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca8e3cfc5d52a9a1412718addce860aa

SHA1
8ea69b356cfb9612fbadc9d44ffdc8333df8acca

SHA256
b617a29c819f6f5ceba2e04d842901d1f779bb0bc9cbb422c13d884ee0416242

SHA512
ebe6f8ef30bf1c06037c723a4f1f2ca6667ae1eae8b07e15695d5fd2592833c8207e7fe3f5a221dde31f43653c4c33198da8a1f78c3e1c2cf9e70c7db6cf684b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bbcf2e68c41c5ea17630903542f4f8d3

SHA1
d0b1ad10cfaa179d7da89d46173ba4d8bd2042ad

SHA256
26bcc98fb844ff0645ba9e53b2ea052d6c749f075413ecf0cdfc06510ae08d35

SHA512
20ea9102c240e34b9b7b29e99c16e7e3e7950ccdb47a038be0ceca74fc8d271dad841f592222c8cd73f8abafb88015d4608b21e5003175b94e7f6196a2be2ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b262863f0acbff4e8406337d316c667f

SHA1
de066ad17b1f6c89e1fa1febc20cf60f01260b3d

SHA256
68062b31b8f55d9e2e96015ca9731dd4da5775f01e45e5d878d29c63f189ceb5

SHA512
965bcf6c7eab64caea464f9c7d303a0082c887109df1b2276b0be2f0ca6dc111e93d527bf725da7093433a6ce2ac3fb58e0d526dcd6b690e60fa58550878596c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
700B

MD5
4f3275cb72e545fa35b6d92deac1e9ba

SHA1
fcba88fdb15c7ea92e143ae8c7e92da763c5be62

SHA256
5823faed6da96055d3466d3b8bc1c7e726e7e9e7e8fde6f273e187659621fd04

SHA512
07d8fe3b451a8fa3d68649e8eb552da5ca1f3db39449136e3e68393349dd8e323ad288d9cf2cb3b4fe0d02c5de8b14cbe03bc704086b3d2c20d06b94d23392a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
434bb4a5735a87db50a36b6d14844ef7

SHA1
0676b0b0264c75acb5a1911d0a3037e65505d921

SHA256
1f5e1e15fc553b434f516182a476d59a3f61c36056e6c5ddec8874559db47a01

SHA512
869f75dde0224d1d74ef99a3509d7ab9e96f55453641a6195705af7ab380031e09158b7ce99c63a1bfab5b960a191514e073e9aa38293887edeea4f75b35e1b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db0d0cbdc5d789f0d0841f7c44733eee

SHA1
e60184b856bb840e5aef8d2a50299d45f6856828

SHA256
23f4daee07aadcf12da3c6cc6f4d571397d08b3121a624f94aa940ed457a0150

SHA512
3ea1ae5271cf05d06a01f332b0f9463cab9589c4e7291524cd7be96e0bcdfbf8f6944f23125d46fe39e5e233e2f2bf33e061622fb83783cbbc402ac58c9648a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ce3.TMP

Filesize
370B

MD5
0e63cb8e50755be72ad301069a021478

SHA1
d0924bf2c7c3566fd24a4c5b6281d302c198e433

SHA256
bfcb0220c355dc0c251257383c95a8d6bf15223bbacd10460a8a3c08e4e8e10b

SHA512
1c0eaaf5821fd448968ec06cf6ddc034b00272979e99f8ecf0ac49de70e91ae546eccafb562ac486aacf80289ec007896b04a5cafc5f5f9ff0bd59a235402aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2355202485d7db90fcfec87775a3881d

SHA1
a6df1fdce608fe5cb6df5dde70ac95197861c557

SHA256
04faee146680fd239fa18e4e149ae523e86203ea11a265ae47af9267ffc7b73e

SHA512
80a45655dade0c84f2eba0fa7c5e2c20ce428d24d36fa22aa88a65ff3ab640a709c1da5fe4b2c2fc1b15c1a2434f10b18001b982802fbb15a7e6daf1dae938e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\cleaner.bat

Filesize
8.0MB

MD5
5264f00456cbe53023be7b5e80963fa7

SHA1
bfba30d1b1cd84f9d15a6a8b18d22d9e318df512

SHA256
feda308f941e53aef81effefd1249ab4d75a698fa4ae16bf4b148f87d6c27e9c

SHA512
14e369da936d049b3f2c1cd4249508061024bdba2c0c7c840e12a6edf4f5d58d8d510a401240b24ccddce5baab74903c8cc2ff71841c7d716b821a8d30c0e442

Download Submit
memory/1480-15-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-16-0x0000020B6F8A0000-0x0000020B6F8C2000-memory.dmp

Filesize
136KB

Download
memory/1480-32-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-33-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-28-0x0000020B707E0000-0x0000020B70812000-memory.dmp

Filesize
200KB

Download
memory/1480-25-0x0000020B707A0000-0x0000020B707A8000-memory.dmp

Filesize
32KB

Download
memory/1480-26-0x0000020B707B0000-0x0000020B707C4000-memory.dmp

Filesize
80KB

Download
memory/1480-24-0x0000020B707C0000-0x0000020B707DA000-memory.dmp

Filesize
104KB

Download
memory/1480-23-0x0000020B70770000-0x0000020B707A4000-memory.dmp

Filesize
208KB

Download
memory/1480-22-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-21-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-18-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-17-0x0000020B6F930000-0x0000020B6FB44000-memory.dmp

Filesize
2.1MB

Download
memory/1480-30-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-0-0x0000000000DE0000-0x0000000002A60000-memory.dmp

Filesize
28.5MB

Download
memory/1480-13-0x0000020B6F600000-0x0000020B6F6B2000-memory.dmp

Filesize
712KB

Download
memory/1480-12-0x0000000000DE0000-0x0000000002A60000-memory.dmp

Filesize
28.5MB

Download
memory/1480-11-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-10-0x0000020B6BF20000-0x0000020B6BF21000-memory.dmp

Filesize
4KB

Download
memory/1480-8-0x0000000000DE0000-0x0000000002A60000-memory.dmp

Filesize
28.5MB

Download
memory/1480-7-0x0000000000DE0000-0x0000000002A60000-memory.dmp

Filesize
28.5MB

Download
memory/1480-6-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-1-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

Filesize
8KB

Download
memory/1480-2-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

Filesize
4KB

Download
memory/1480-4-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1480-3-0x00007FFDDD3D0000-0x00007FFDDD3D2000-memory.dmp

Filesize
8KB

Download