rhadamanthys | hxxps://www[.]mediafire[.]com/folder/sesv8b1rj36pe/tst

Analysis

max time kernel
112s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/sesv8b1rj36pe/tst

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral1/memory/3740-250-0x00000000026C0000-0x0000000002737000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3740 created 2524	3740	NewV2.exe	42

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4328	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
1072	msedge.exe
1072	msedge.exe
1280	identity_helper.exe
1280	identity_helper.exe
216	msedge.exe
216	msedge.exe
3740	NewV2.exe
3740	NewV2.exe
3740	NewV2.exe
3740	NewV2.exe
3740	NewV2.exe
3740	NewV2.exe
3728	svchost.exe
3728	svchost.exe
3728	svchost.exe
3728	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	firefox.exe
Token: SeDebugPrivilege	3688	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3348	OpenWith.exe
3688	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1444	1072	msedge.exe	84
PID 1072 wrote to memory of 1444	1072	msedge.exe	84
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 1936	1072	msedge.exe	86
PID 1072 wrote to memory of 5056	1072	msedge.exe	87
PID 1072 wrote to memory of 5056	1072	msedge.exe	87
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88
PID 1072 wrote to memory of 1056	1072	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2524
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/sesv8b1rj36pe/tst
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd379346f8,0x7ffd37934708,0x7ffd37934718
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,5698878605284105898,10529362556128063190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2220

C:\Users\Admin\Desktop\Release\NewV2.exe
"C:\Users\Admin\Desktop\Release\NewV2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Release\scripts\config.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2268
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Release\scripts\local
  2⤵
  PID:2568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\Release\scripts\uwp"
  2⤵
  PID:4416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\Release\scripts\uwp
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3688
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1876 -prefsLen 27188 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a779efc-3852-40cd-98fc-e9bdda985544} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" gpu
      4⤵
      PID:3900
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 28108 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343b1f85-c7a8-4da9-8e9a-a37cb6cf9701} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" socket
      4⤵
      Checks processor information in registry
      PID:1660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3324 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 28249 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b47d2a7a-5cbb-4648-aaa7-3038db4e49e2} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" tab
      4⤵
      PID:2280
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3620 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 2832 -prefsLen 32598 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a62b4b7e-e0fd-47f2-a9cd-2bd9c838bfaa} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" tab
      4⤵
      PID:376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 32598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8734ec43-8a81-460e-b856-f3912b1da0f9} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" utility
      4⤵
      Checks processor information in registry
      PID:5708
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5308 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a51e0ab6-a143-431d-9e09-7edb7db35d1f} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" tab
      4⤵
      PID:5368
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36c5ee78-2e15-4ace-91fa-aecdc4f15ae1} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" tab
      4⤵
      PID:5736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {700e2c10-8c48-46f8-843c-495f4160cfa0} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" tab
      4⤵
      PID:5724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Release\workspace\.tests\writefile.txt
1⤵
PID:5796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Release\workspace\.tests\getcustomasset.txt
1⤵
PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7b5a5433fe76697fec05973806a648c

SHA1
786027abe836d4d8ff674c463e5bb02c4a957b70

SHA256
c8d623536ebdf5ffbefb84013d1c8ff5f853b59f1b09c80364c32b8ed5e4a735

SHA512
27be4c82e26468bbb9ce698ef305320f6cac46c953f88c714a0372fa524d098b9af2a87a88b14a134ff0f5f4b3d671902908622d2c7ec48e2c7bc458d7f5cc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ea156392347ae1e43bf6f4c7b7bc6ec

SHA1
7e1230dd6103043d1c5d9984384f93dab02500a6

SHA256
40b28bf59b3e2026ad3ebe2fecf464a03d7094fd9b26292477ad264d4efc1c75

SHA512
2479b86a9a31aa2f260ff6a1c963691994242ced728a27ffa2ee4e224945446a191bdb49ce399ec5a7d5d362499716133072e97d4253b5b4f09582d58b25144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
b38c3b5f250493b262c7bcda3a075490

SHA1
6f2de58956bb458fcb9dffbdebd98d2801adf431

SHA256
a94699f059b45b1c3a6cecea0e65c607d7be03775e712a479065a2acb4377096

SHA512
1ae8a705f873da8febf4c4d17e3cda24d05bf4065b284f960ca7dfa097671c61ae3f5d753e1687ecd0e40ecff98ac493663ab126892398dd7802de6e7d38c570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5d1260db7283d74edd1d73519a75c2ac

SHA1
fca2cf3f482916c6a8b68db3cf05afbf36d08deb

SHA256
3e0699cb2dc55f4d38d191a4796e13ec4e4ee1cb6a3a9d94061fc542edf2f567

SHA512
85dabc035617d255d6c75a2b5b2f9b24943992afb9842224f10ef815cd419a765ebdbf0485cce86fca50d299b17d35919eb16a927d8dec8d698ba696a52399b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b706c77472a755d5c9f449015fbc0db7

SHA1
069e2095a071da9fbe99659bfd4eb48d35f34a23

SHA256
6c1ac1dcea7679ae5e2d887ca4e6f2a430fea43663285a6ab06cc8daa2b5faa5

SHA512
78ed452074cf8c740d9df13a4cae8fb9e1d5dcfa809c01733349524c3e86e57bd3d61138a596a99c529bf79aca8804b782e15725ba9a8e01ed35b92f4e49a4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d369042e9c380c5ae67b3a5c53d390f9

SHA1
9c95bc8473a892afe79114cce5733b9b213a46b0

SHA256
3c51877af5e0e2a37d0ff41ec4ee8beb5d3a64d681818dc9075001eae37805dd

SHA512
e6bc458c1d0aa09c807f5b51eaa21a905ad877f3c7131776d6aeb1ae6b892086e7d21f2c1c51b0b7b8e2bad8adf71a104335afbc2b1c50a287bcc69d5449296b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3345a58547edfb1279068b9891f3f01f

SHA1
fb2344216c02a3f03dea5439dd988b77a1f0d1eb

SHA256
706a80a29aa7608aaf9564eca3957b0d9ae1c801b205360b304c948a66954fa0

SHA512
4c7ec3b9fea95190a55fb2e02cd9cee4b582683f0606a2f2074b33977e71429bac2bbef4c3b01b87b851931dd52bd847b5e4003e8ac7b1ef67467305204cf3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b8078a3a13d5fe3d777f3763d47428bf

SHA1
e0f8fb49f7d30fb82277a36769020e8b09cdb1be

SHA256
a87f0b984439049131ded99a9d3a5f0a19a9f42d51d64add4a88db3c75ec3d67

SHA512
e583f3145ea2cac1630a0786da08c5108e5657593673ade66c0751f0aea64aaa304522767fb02012b0676c26c3fb2f1cb3a9b3324b134bca674e94daf077d04a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4fedc93c3f2c77a584ea3ca1476494e6

SHA1
50b6b0fd0712243345765c31fb1615fb17ab5354

SHA256
df57256c7a4be7d7d6bed8af9d637e5d3bc7d16d69a7047fa42573f92ed85816

SHA512
18e0a05898e384c94d11988cd72a0e3631cf337943ee83fd69ad44d1034c47c18f529a0b30c554b5808a832849631e15b64516ca671b47b1ec391f6a40962ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7fe5b9a2e043624a0cfe59488562425f

SHA1
39f7a19522e04c520be663f0351d86a691f3a088

SHA256
dad3c40faab76b1e208444e4707199c3871f897e5da674287e7e630209ff54e8

SHA512
b02dd0a370cca1ddf654d0ba589f6e2566397d40b84c9ba6136f230b55dc7a2593efb6458aba4b09fc00cdb171529cefe3c98723cb5c56aec1fce8c32c65f340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57e3338e2bfbff704fd3692844e37ccf

SHA1
9385934de160f52617029d5351854a777e614651

SHA256
d4328509cd410e751ff48eb68876043854f78c813ebf8d330ae1501d67e2932e

SHA512
3d4503166d6195b6e35dac7bafda2b794e3017ab8e7d2f075ffbfcd0151e66cba257aa6c97cbbadeeb80c4186037c42d3123de19783a70aa19ebb7d552008174

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3jxltzi2.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
070137e8145d6a93a4656cca39d6064e

SHA1
6ee4ef355287fc798b51ef80cea2dd63f46129a4

SHA256
6d5b306e6b9566638c3daa9a1a7c616b09d0365f784c36024382cc8a1bcca29e

SHA512
1d22cd0a847d18de69e0d1195c57699bf47a8e4e797796f70b0756cd0cc3b48f4bb931545d36e18037566a73fd92a23b30986284b640bbcefc8b01b94059ef89

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3jxltzi2.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
c119849aa0618185ed3831cf3899d8e3

SHA1
ee170f49e0262c8dcfae0b14d9e426a79f72b7a3

SHA256
330b4248dc75551a3b702a0d57dc121501c54948e0e22e5b00fcf54f8c4672f3

SHA512
fe132dbb946e894c989b3f0cb32bce3719d38f6b3e15e169961400f3aef82b64706b3a2c27608d05c521f4afa07585950befb9ff284fdd4f0af6d0c243df2e30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ad1b945a93737065e5b1bbe8b981c3c5

SHA1
2a6bcea097b581921e49631a352f48f15700fb13

SHA256
050d7a6edbb642c09a1b4c6343e0c889e3c6574fe7976a523a8f23e5f1ada38e

SHA512
0f87f770bd76de1cea462c6906745ced010c6a272fa2f0f13e6d7d3bf60aec52f661b274dce3c81b4918114e8b40148fa959e471fb35f2823f1496aa50caa55b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
47cc4dbd2acd37eea0a908ed9b536ef1

SHA1
2a0551562afc6c4aa9d53795b2827042560e5499

SHA256
2b9ed743ea7b6b87cad0c550c5e4f2d10f9f50e93cafc53a0f7ad42eb8446ab6

SHA512
d2e9e50fba30402742844410952b223b72ed520cbdbb9fcbe228cf8805135221f35e06549629ad4cf939602401a81b17188ec8e93267f8062854b82f70541e21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\datareporting\glean\pending_pings\02f6a59e-fc0b-43e0-81bb-a964a6acd0a5

Filesize
671B

MD5
96697625c867bbae9b04d420e8011846

SHA1
50ca9e9c32d15559a79605426319e511d7714353

SHA256
806b899bb4f2c9a69999d250b884c915c8ed57846903358a20968951c3f8e92e

SHA512
f532f42d3f4eb9ce3a137580c7d8cede5f652c30f144f64b7d90ae0b0c6b77d082ea895e5bd1359e6ba9bdaa0d49466ff3916fd9e321e7c226e2066f98851b01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\datareporting\glean\pending_pings\44b58e50-6041-49f6-9164-3c9d8b1e47ca

Filesize
982B

MD5
564ee4cec36e318317b1b7f258b2d065

SHA1
5f488ec012cf1669c8fd1f88e8762a05cccb1012

SHA256
a6a7a3989ff3bcabb2481b1db52d24d6b5c01a6afc1d7911e0853a90ad2bcb88

SHA512
3eaf2da1786aefde80e2c8c60371b0e8ddb225b302a5f1fdb5f8bbceca2ed76ce4b23c635fb6db7aadc71bfd61525a6e20be89933c2892c82bdf81095b02b6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\datareporting\glean\pending_pings\d57b1b11-154d-47ac-96e8-a9132c08aed0

Filesize
28KB

MD5
1c96bb0adadf9a2f34afeab4d70bc204

SHA1
ef34b11dffe4014036b20f68c0e6b42bee961d63

SHA256
fad666207e592d2dcbdbaa6371c5a1c31546d2fb3748b91e04d369e12a3b1719

SHA512
453913ffee8e3c5f3d8135714fe5b47147e9e1a13057e1bff5a5b40233b3cb6109e8ec7e1a41370216cf4e8a4a7319d56b116686b55873c41004631d748d599b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\prefs-1.js

Filesize
9KB

MD5
c017c82fd223d2cdec0020b361de7401

SHA1
4a56fb287c551bb3cff96238fa4f2c334c64c7ec

SHA256
1f69df9a56aaefa97e2162b58aa8599e861970d37dca2eff4844ae62475b5f53

SHA512
cffdb0b9447c9cd40bed7bbe8282d2c6eedf2c19669ba2d279eaee6b87935a1775dd600c89889add6f0ce9d4fdb23090303e64ff95ae0874e1b189139d8350a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\prefs.js

Filesize
9KB

MD5
e7377b5a4af26bd3628d282793262841

SHA1
32ee22e018ac237da3df550ceffbed76707889f7

SHA256
906e09382de7c266b406eaf42aafa48cd155279a08ea6104c8da8061c68d1bad

SHA512
e213db1974c3cb7bcecb3222bf01a3863c6ba128d06272c06a5a5cb80595bfcf469866a55514f91231466c8ed3cb2e8013b1fee52e4aca533c8608586cf01c07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3jxltzi2.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\Downloads\[2.0.0]-Aрр-UNC-.zip

Filesize
25.9MB

MD5
97c48d5d99aec0300188443af36dc3db

SHA1
000e57831b9ace9388b24cdf907bc57019c756c9

SHA256
6f2327b7ce51606c50f7ebd2eed4c58324463ce4967fb86de2fad14c406ba508

SHA512
f426185777e8aa4fbf1a85b05e3c1772ee2b5ac504fedc3f0a484269aed098268a7a69ee40baec07be247382dc655c0c2ea23d4e23a2fce438ffbd81e0202c3f

Download Submit
memory/3728-286-0x0000000076FB0000-0x00000000771C5000-memory.dmp

Filesize
2.1MB

Download
memory/3728-284-0x00007FFD55110000-0x00007FFD55305000-memory.dmp

Filesize
2.0MB

Download
memory/3728-283-0x0000000001200000-0x0000000001600000-memory.dmp

Filesize
4.0MB

Download
memory/3728-280-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3740-250-0x00000000026C0000-0x0000000002737000-memory.dmp

Filesize
476KB

Download
memory/3740-282-0x0000000000400000-0x000000000073E000-memory.dmp

Filesize
3.2MB

Download
memory/3740-279-0x0000000076FB0000-0x00000000771C5000-memory.dmp

Filesize
2.1MB

Download
memory/3740-277-0x00007FFD55110000-0x00007FFD55305000-memory.dmp

Filesize
2.0MB

Download
memory/3740-276-0x0000000002C90000-0x0000000003090000-memory.dmp

Filesize
4.0MB

Download
memory/3740-275-0x0000000002C90000-0x0000000003090000-memory.dmp

Filesize
4.0MB

Download