silverrat | eba82296981d63be03f67ac548a64461c1a9f33b5a417d9dc4fca9f712741f93

Analysis

max time kernel
215s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverClient.exe
Size

44KB
MD5

8be348b402c7efa1615b42bf8066e7d2
SHA1

8aba71b3666413fc5e8acd32b96593511d49ebeb
SHA256

eba82296981d63be03f67ac548a64461c1a9f33b5a417d9dc4fca9f712741f93
SHA512

16ddd723a640bf65533d3e3ef005a60c45d06c5d9d1c7bb4525805cb8c0216a467f1629acf80126ae5e3b8b0dc62a79018ea30e30437a13b881628cc9a26d5cb
SSDEEP

768:1FenqPN1+dNRoIGvW/j0hddndktkRULL9SX1Yez1QB6Sk2f4v39kE:1FenqHsM5hddndkOGf9nC1QovE4v9kE

Score

10^/10

silverrat discovery execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

court-discovery.gl.at.ply.gg:45502

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335592481265287199/tCWoFLVy6fas_HijZsXLMjuueyB8XGEGT5dsrz6DpXFQe7Y0GoR6udU1JJife2Z5Rcv1
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	$77GetRattedXD.exe

Executes dropped EXE 1 IoCs

pid	Process
1636	$77GetRattedXD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Downloads\\$77GetRattedXD.exe\""	SilverClient.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4708	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
93	discord.com
94	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1980	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4268	schtasks.exe
4488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
2004	SilverClient.exe
1316	msedge.exe
1316	msedge.exe
4976	msedge.exe
4976	msedge.exe
1900	identity_helper.exe
1900	identity_helper.exe
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
1636	$77GetRattedXD.exe
1636	$77GetRattedXD.exe
1952	msedge.exe
1952	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeDebugPrivilege	2004	SilverClient.exe
Token: SeDebugPrivilege	1636	$77GetRattedXD.exe
Token: SeDebugPrivilege	4708	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	$77GetRattedXD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 1384	4976	msedge.exe	89
PID 4976 wrote to memory of 1384	4976	msedge.exe	89
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1380	4976	msedge.exe	90
PID 4976 wrote to memory of 1316	4976	msedge.exe	91
PID 4976 wrote to memory of 1316	4976	msedge.exe	91
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92
PID 4976 wrote to memory of 1996	4976	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp10A5.tmp.bat""
  2⤵
  PID:4936
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Users\Admin\Downloads\$77GetRattedXD.exe
    "C:\Users\Admin\Downloads\$77GetRattedXD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1636
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77GetRattedXD.exe
      4⤵
      PID:4656
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77GetRattedXD.exe" /TR "C:\Users\Admin\Downloads\$77GetRattedXD.exe \"\$77GetRattedXD.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4488
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77GetRattedXD.exe
      4⤵
      PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4708
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "GetRattedXD_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff13be46f8,0x7fff13be4708,0x7fff13be4718
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8390315135961102773,11513095693702845630,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
599657940123a17f44239e10f79c1c94

SHA1
9ae151551cce0e0515681174fea648e7e21e29c4

SHA256
f0168695e042192f8dbf93d2cd1df9068f9f68293f67d4e2b4cadc711304225e

SHA512
2fc10b7d37622a27722ad177c1f58a27324822ee25aed281829e31dfacaf172cad75b22700de4494f92fca04710ad0ad599bd5fcc06342d95bba5d8015b7c25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
ad07ca26641c40e0af0c269244ca81e0

SHA1
aa8155d851d9a043d879f0480420b57ae06c5d67

SHA256
c4d93c0ca69742fbe7744daa09d13c67705a27e3b898b7a10177a47f38989649

SHA512
740c73d5e15a323f9a543ecc581a1474946c0a264708f848b7bdc55394b8e2e8a811f8b14ecba96f20e04e88765c3c235ec7bb58867003bc7d51e20359c1be52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c53f8c1cb82fd0c08f7290d5b0ed910c

SHA1
bac176d4624708ff4dcf5ff9747f24a6f48060b2

SHA256
d688656bcb1485453a52a3b4c6540b489fcc2e11955bd2e09dc779eadf745b09

SHA512
7907561fb69ad48bfcce6bfcdd367169c9a7cb7d0f5e73e47508b6879f6f5d83f09a6f035654b725f44cb23034b0accf05e80f2333e71f46c7cd46118ad2c274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1a2f9cdb58a8e2c31d3d85c4573e49f

SHA1
9c5f69f6d1fc5c460fd03fed754768953a475ba2

SHA256
372df950cb144c43482cc56a863a3a98c9c728d35d7cd6636fb1743ca3a3c455

SHA512
c925e591d4cd73b8263b03633e7e2c98f0be1b409a390d94d917d9c0efafc6921b3a0b4b42ca2aa771bc371c5f138c0cf519218d0d8ea071fc0d045b184430ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ee81d3f9b10cce0a570df9267529c42

SHA1
221d9b4f927e98b25738786fe5f9c6a1cfd41d60

SHA256
bb62b4e488daf1ba839d56e83186432233972b1de92fac04e53801ddc4ab4420

SHA512
669671f3a92eb808682e10af28d4ea4351dd3a06017ec55f4a6fd6ec030034944c03332eff64d11ba79d3e0084c78febaf2d0559d172eef36ffbdde724e48baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1d82fdc35ad8c2019f1b68223175f8d

SHA1
59ed2f7e3918fd908a21022259630aaae50ceee5

SHA256
1774d1bb2f832b97194ec29b2ce8e61cab77417ec78a8f23e5ccff73b5960e9a

SHA512
af68559c60cf6b06b28a721a23c28a6b4a83541ee58e7e5c24e81b2aaed1cc4fa4031fe51303cd10e670dede96653d31f9b90d1a3351668de64176ac5ddaf8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74e75b9064eeb901f40d8bfb53ac0b3c

SHA1
3e13b2802f3293a87d4b36c23e58f7e509221c6e

SHA256
336937bf063c7b454bff0e2a8616eeecf4bbae36faab2fe9677f6119117f3575

SHA512
b04ce83a7013c9d862d118c671e5c36577426932604ff070e5076b3d12fdd087811057903b89385633f2b7b1e1c07460fbb02402d3d88e47e9313c85e86deac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5803d3a61506da11a752cba0e15ef9ad

SHA1
fc8e54a9efb0fd946821e3d2625c89cbd6f486a4

SHA256
2861480cd447a232b42133112dc5f8619b3cade228529b3dc05b6fa6705b5d1a

SHA512
b2b2b01c990904b7e58d5a1159d7ea8dc2a11de7bf5f19e8251e8186049756de0bb37e92b255f6696058c2ea43b8351cc405e46bc897d77ee9ebf5c645843c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6934f8f3628342f524fa1beb86ec0e3

SHA1
3a778978dd34106e7bb7bd077d99c768b7637845

SHA256
87232427140470f5d5133a926236829bf2cfb631e93fdd8bd5a3e6db8bb1dd5d

SHA512
ce41d797f1461ccd1d6fd12c7ee7c529a0c99b57773229bc3303a0705664a23ee33871b3f6ab4cd3b4ade40fd851b45483bc1de1762e00cbe2746857af832f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58436d.TMP

Filesize
370B

MD5
f9dfd1a6f37b2b60c99c445de9336120

SHA1
8abbfd3fe7e7769e27b6a82c4f8b48846ca649e3

SHA256
782cbd9533a12f0275493a71baa6119ef7c4891472615051e662e9e6187bffd9

SHA512
f6eff56a0bb8815961040871d0b2a1f40b4e552037b4e8d9bc2db0122db6179ca03a7fa02dd6e7de7722fd995319a14fc2d48a4d88b78750b3432145d481da5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4bd9e9f4d8d5b03c8fbe09ee8ae4785e

SHA1
6752b6e5ebda7103f4363bbf1cf387a73c32d048

SHA256
d61b8890863d01292328936153d6a414d889ea90cb796f5de5adb2b39a97d885

SHA512
3fbc621c5cd5bb25c236faf838778a6d14cb0e15401bb4f2b96abf32996493887f0166880896ea87b95744c5351e2159e312d415c6d67b457dd72df8e566657d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0e1667a24864e90d9f65f1c2ae2fff6d

SHA1
20d54d262d836b8f7259edc7b95384a8c67c226d

SHA256
58d8121f13754ba701cff84aea6e018144dc02dc01280521f24fb3cae99c270e

SHA512
96a678a173fa3d6b800c1ae922238ce4dd2c88db220c8a3a881c2993b77d1e09cf0cf5f8e8396175651b7f9b085ab438cf2b12d3355543ae92570e86b1a2f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdaspy4k.a2v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10A5.tmp.bat

Filesize
152B

MD5
b3fb45184097a5707b353a8ea1b1b91e

SHA1
2137726756124d945b09689c34bd798fa465a42d

SHA256
96b2675bd0c3b272c357448011c2663e56e85e8af87c3fd96c9b9602533d2105

SHA512
bbcf3d57ad80631adbbbed17b4569787ffb189d370a4be757fb5f165e3dbfd623d32ea81647069b6c1a92c521606ad9921c438e27201aa68c9bf2225279cc385

Download Submit
C:\Users\Admin\Downloads\$77GetRattedXD.exe

Filesize
44KB

MD5
8be348b402c7efa1615b42bf8066e7d2

SHA1
8aba71b3666413fc5e8acd32b96593511d49ebeb

SHA256
eba82296981d63be03f67ac548a64461c1a9f33b5a417d9dc4fca9f712741f93

SHA512
16ddd723a640bf65533d3e3ef005a60c45d06c5d9d1c7bb4525805cb8c0216a467f1629acf80126ae5e3b8b0dc62a79018ea30e30437a13b881628cc9a26d5cb

Download Submit
memory/2004-133-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-47-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-1-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2004-33-0x00007FFF17D33000-0x00007FFF17D35000-memory.dmp

Filesize
8KB

Download
memory/2004-2-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-0-0x00007FFF17D33000-0x00007FFF17D35000-memory.dmp

Filesize
8KB

Download
memory/4708-315-0x0000017879CE0000-0x0000017879D02000-memory.dmp

Filesize
136KB

Download