amadey | 83f6d9721abac7afdb48fad8a0430fcbb6cb4c1de28e37a0768d92cf8e7c8cda

Resubmissions

30-07-2023 09:27

230730-les4qsgg49 10

29-07-2023 12:31

230729-pp9q1scg28 10

Analysis

max time kernel
1177s
max time network
1199s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-File.exe
Size

28.1MB
MD5

9ddc92ae27b3c01abcc9361f5f10dbeb
SHA1

4ae7273d55275c53ebd66fd8d55d54d5257ad21d
SHA256

48987d9c89542a8cb4f8d34eb34902a4762cc8643c0e491deb6115907db4887b
SHA512

20f81c7cf228b92ef488fc24d1a3ed288f77036903bfcb1a650a7505a9f618c2fafa09e4b7c5e539a5627d6436f7011f1ed0ecf027609524006c07716447e68b
SSDEEP

786432:z6FQ28LUo3oaouyd+sP6qSwbJ+IViZRR/5PwUA1:zAQPLUcoMA+sP6q3pV255rI

Score

10^/10

amadey lumma vidar https://t.me/dastantim spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

vidar

Version

4.9

Botnet

https://t.me/dastantim

https://steamcommunity.com/profiles/76561199529242058

Attributes

profile_id_v2
https://t.me/dastantim
user_agent
Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup-File.exeldhxfrlcttjf.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	Setup-File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	ldhxfrlcttjf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	bstyoops.exe

Executes dropped EXE 21 IoCs

Processes:

ldhxfrlcttjf.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exeYjzlamqghwrobt.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exe

pid	process
3812	ldhxfrlcttjf.exe
1220	bstyoops.exe
2556	bstyoops.exe
4712	bstyoops.exe
4316	bstyoops.exe
2648	Yjzlamqghwrobt.exe
2384	bstyoops.exe
3960	bstyoops.exe
5004	bstyoops.exe
4620	bstyoops.exe
1856	bstyoops.exe
4252	bstyoops.exe
3788	bstyoops.exe
3784	bstyoops.exe
404	bstyoops.exe
2848	bstyoops.exe
3920	bstyoops.exe
4052	bstyoops.exe
3720	bstyoops.exe
2312	bstyoops.exe
1108	bstyoops.exe

Loads dropped DLL 2 IoCs

Processes:

csc.exe

pid process

5112 csc.exe
5112 csc.exe

pid	process
5112	csc.exe
5112	csc.exe

VMProtect packed file 55 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ldhxfrlcttjf.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\ldhxfrlcttjf.exe	vmprotect
behavioral2/memory/3812-326-0x0000000000320000-0x000000000115B000-memory.dmp	vmprotect
behavioral2/memory/3812-334-0x0000000000320000-0x000000000115B000-memory.dmp	vmprotect
behavioral2/memory/3812-339-0x0000000000320000-0x000000000115B000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/3812-368-0x0000000000320000-0x000000000115B000-memory.dmp	vmprotect
behavioral2/memory/1220-369-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/1220-379-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/1220-384-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/1220-388-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/2556-496-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/2556-505-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4712-569-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/4712-572-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4316-594-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/4316-604-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe	vmprotect
behavioral2/memory/2648-621-0x0000000000E10000-0x0000000001810000-memory.dmp	vmprotect
behavioral2/memory/2648-626-0x0000000000E10000-0x0000000001810000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/2384-641-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/2384-643-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/3960-658-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/3960-660-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/5004-675-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/5004-677-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4620-692-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/4620-694-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/1856-709-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/1856-711-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4252-726-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
behavioral2/memory/4252-728-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/3788-743-0x0000000000480000-0x00000000012BB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Setup-File.exe

description ioc process

File opened (read-only) \??\F: Setup-File.exe

description	ioc	process
File opened (read-only)	\??\F:	Setup-File.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Setup-File.exe

description	pid	process	target process
PID 4656 set thread context of 2228	4656	Setup-File.exe	csc.exe
PID 4656 set thread context of 5112	4656	Setup-File.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1044 5112 WerFault.exe csc.exe

pid	pid_target	process	target process
1044	5112	WerFault.exe	csc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

csc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	csc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	csc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3100 schtasks.exe

pid	process
3100	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup-File.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.execsc.exeldhxfrlcttjf.exebstyoops.exepowershell.exepowershell.execsc.exe

pid	process
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
4252	msedge.exe
4252	msedge.exe
3468	msedge.exe
3468	msedge.exe
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
2704	identity_helper.exe
2704	identity_helper.exe
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
4656	Setup-File.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
2228	csc.exe
3812	ldhxfrlcttjf.exe
3812	ldhxfrlcttjf.exe
3812	ldhxfrlcttjf.exe
3812	ldhxfrlcttjf.exe
1220	bstyoops.exe
1220	bstyoops.exe
1220	bstyoops.exe
1220	bstyoops.exe
3428	powershell.exe
3428	powershell.exe
3428	powershell.exe
3088	powershell.exe
3088	powershell.exe
3088	powershell.exe
5112	csc.exe
5112	csc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3468 msedge.exe
3468 msedge.exe
3468 msedge.exe
3468 msedge.exe
3468 msedge.exe
3468 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exeldhxfrlcttjf.exe

pid	process
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3812	ldhxfrlcttjf.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3468 wrote to memory of 2880	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 2880	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 820	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 4252	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 4252	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 3040	3468	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Setup-File.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-File.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Users\Admin\AppData\Local\Temp\ldhxfrlcttjf.exe
"C:\Users\Admin\AppData\Local\Temp\ldhxfrlcttjf.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3812

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4240

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:376

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2468

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:3528

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1800
3⤵
- Program crash
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAyADAA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe
"C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe"
2⤵
- Executes dropped EXE
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RedoCompress.svg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff926f146f8,0x7ff926f14708,0x7ff926f14718
2⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
2⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
2⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6269388580612523862,10820904841884305864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5112 -ip 5112
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
ffb402628e615fd2a1239493ee4198ab

SHA1
b72ad06fb40e20295409e16bf41d6656c49c5b24

SHA256
9f41d1b31a3b830964e77692082f5d723f68a5523623aa40e3b671811fa28984

SHA512
89b41707ddf60e7fbe958b699af7ba2c1041656507560020daf11ca3c04f0ebbfee47e01fdeecf797e55dd6a0c56c1105fed275a440143d95b09c5a9a6e75795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
2d11a6f530c74791741e2b1e3c3fe79d

SHA1
fdd44cc9cbd1937dd6f181d56f8b9d85235a89c3

SHA256
111164103c1856912e245a1fe83e7537c4080dd2837147088b0eb0d6d60f8fa6

SHA512
cf5f48883188ab7154729f4a3db5c2664f963bc4e86349e7c89a6ce9fb9e2b6425e8d9d7c75c9ca3df5086520a3303b78b3ed0ebfda0d089b1e76fb7f89e03e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0c679755b01f7b0ee877cbe5a2581b65

SHA1
6782e0aa06df5781387bdae97d01cb91cc924d57

SHA256
171c4182e2369cc33fb1f35082480ee0dad9a31489b5b895e81cce0ab74acb08

SHA512
2b74377058e15c2c2bd3a68b086fc0a3527f0f3018409cdba31bb89b75b2d6f47e0c6ce895e5243e712690dfd96f8a36da323931b474aff7c26f35850112d2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cbe14f741a5493ed1ffff8538f5e57cc

SHA1
e7210fbadfe1045a910a9452422ebbf7ce9a94e1

SHA256
44cdb4576cd50829fff4a0dfc433a10eee16fed2cd7882ba420e53951d0ceeee

SHA512
b4f8ef257b2efa5d60e56c627178b2c4d163fa5d1b03ed99d4b049df855ce177f5ac1c06c2a5f6813a0d1a053ad9b3db3cb12ec59a978af2a6f4504d799c41e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7e1c20e8222e5aa5060648a0b48ad5c7

SHA1
59f90b2e170c70bb82f17a3524021ab3f9315651

SHA256
4cf80434a79a4dba87566a8e02ba31a789e5b1f7218882cd33105b962114d663

SHA512
31f63764a95d2cdd734e4625f33608d412050bf066519ab75720f9912812047d45a3b487414a874078d90040b5d1265c7167088e643c8055081290688247719c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
023b2fe77276d3c41da2d62b737752f7

SHA1
084f4e21dddd648f2404dca110ab9fe3a6f8c061

SHA256
c22108ddbc159895ebd307c85ee68534cd8bb28bf0f4edc22a79129986196c02

SHA512
6ee325a7e86d7da4ce9f248dc7f61611f140afd8c4d5c9329649a5f618d62363f9ac1b300d74f1b0165920b850a39d1174ef3726491a6f9e03171bbcd68d8703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
92ebaf4dd1e3db4534101d8c1dfe1706

SHA1
1dda7b755454a91e6233182b894c1f1b4b2e7e35

SHA256
42cf31b653bafdf35f216213f6d9e0b13a08f51a30b83dbfe03513b7b811b44c

SHA512
3884c30f84b40b81bff24c7bb0d76eaa0169c2bb7ed070a10e532e76193b668c308d77b72688d292085fb587d2052905bb797c7e9a385f4798a13fd5e55be21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a8b24d6ef35d783b96c9928813a91f3e

SHA1
4fb725a40daa921250e77a0c6a9f7ecca0914165

SHA256
2957342db26f74b4c5688d28e74df77f553b5dc646265590535ee51b8dd8a438

SHA512
cc69508d2b7e73675a5a9ae06779cc481628b0154ac52a1093016d57afc8258044820993653a81f7328e1787be89af2e718cbc158e57f13689e10b944e51379d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
0e628437983e11cb03d7a06b33e6a2fb

SHA1
76abdc6029dd3fe9e311075bedffdd780068f962

SHA256
97f94ae91ef74edbe3a3b295661926d58c1f7b45836256ca722633d31d7e279d

SHA512
ecfafe971485fc0503ebf71a9d59c4146ba5f36294c891a08a6cf68fee6c82941300f1f8020bbc53545681d717b27fd6228e7e41c94e5553a3e6e6aa78ae3e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
0e628437983e11cb03d7a06b33e6a2fb

SHA1
76abdc6029dd3fe9e311075bedffdd780068f962

SHA256
97f94ae91ef74edbe3a3b295661926d58c1f7b45836256ca722633d31d7e279d

SHA512
ecfafe971485fc0503ebf71a9d59c4146ba5f36294c891a08a6cf68fee6c82941300f1f8020bbc53545681d717b27fd6228e7e41c94e5553a3e6e6aa78ae3e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3db5a3b556b01c59c5812cb86abb674e

SHA1
3848e5419d5c47879f159247e4f1b08005674cf0

SHA256
218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

SHA512
3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3db5a3b556b01c59c5812cb86abb674e

SHA1
3848e5419d5c47879f159247e4f1b08005674cf0

SHA256
218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

SHA512
3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fc28168b916bf9744961653d503e1164

SHA1
71deadab13b81a414582f931e9af010152463644

SHA256
a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

SHA512
08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f996b44e71bcf8e9d9bd5ef2a96a963

SHA1
61a10fcfb7bad1271f7132c7491982a916489af0

SHA256
78d612ffa268c2871faf8e656889f9ec6475890ff2763410dbf434a343ad9a0d

SHA512
84815d678a672aa99d4834fa4c0a42089bec36da593caabc337dc66180a8ebd0131e65fb68ba645d3d68e80a5e7808e0dcf5b0ff1cb2a46786d532b088b44515

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yjzlamqghwrobt.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fminsi3d.pnq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldhxfrlcttjf.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldhxfrlcttjf.exe
Filesize
7.6MB

MD5
587562721adc437bb5b738964eefb766

SHA1
1284904c39bd7704bca618506e1a6614d56fed84

SHA256
3c2ea8d5c8f94d224bd0d97b3b80fd8a660a6e1ce273abfad4b3321a3ebbf4b9

SHA512
6fc434024a2088a7e8a44236fa64b1fedbb926e34cb84842ef561876e70eab15c894ef3f1e934c652518185bd818ea10cba03ba193ad8249d5612bdbc2f0c2ba

Download Submit
\??\pipe\LOCAL\crashpad_3468_XPSTDLCWXCOJLLRA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/748-254-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/748-296-0x0000025F5D940000-0x0000025F5D950000-memory.dmp

Filesize
64KB

Download
memory/748-238-0x0000022922C20000-0x0000022922C42000-memory.dmp

Filesize
136KB

Download
memory/748-316-0x0000025F5D940000-0x0000025F5D950000-memory.dmp

Filesize
64KB

Download
memory/748-392-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/748-313-0x0000025F5D940000-0x0000025F5D950000-memory.dmp

Filesize
64KB

Download
memory/748-289-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/748-248-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/748-249-0x0000022921310000-0x0000022921320000-memory.dmp

Filesize
64KB

Download
memory/748-250-0x0000022921310000-0x0000022921320000-memory.dmp

Filesize
64KB

Download
memory/748-315-0x0000025F5D940000-0x0000025F5D950000-memory.dmp

Filesize
64KB

Download
memory/748-290-0x0000025F5D940000-0x0000025F5D950000-memory.dmp

Filesize
64KB

Download
memory/748-251-0x0000022921310000-0x0000022921320000-memory.dmp

Filesize
64KB

Download
memory/748-259-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/748-256-0x0000022921310000-0x0000022921320000-memory.dmp

Filesize
64KB

Download
memory/748-255-0x0000022921310000-0x0000022921320000-memory.dmp

Filesize
64KB

Download
memory/748-307-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/1124-276-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/1124-272-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/1124-277-0x0000017BE5460000-0x0000017BE5470000-memory.dmp

Filesize
64KB

Download
memory/1124-281-0x00007FF923550000-0x00007FF924011000-memory.dmp

Filesize
10.8MB

Download
memory/1124-274-0x0000017BE5460000-0x0000017BE5470000-memory.dmp

Filesize
64KB

Download
memory/1124-273-0x0000017BE5460000-0x0000017BE5470000-memory.dmp

Filesize
64KB

Download
memory/1220-379-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/1220-377-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/1220-382-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/1220-383-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1220-384-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/1220-388-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/1220-369-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/1220-380-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1220-378-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1220-381-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1856-709-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/1856-711-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/2228-282-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2228-297-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2384-641-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/2384-643-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/2556-496-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/2556-505-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/2648-621-0x0000000000E10000-0x0000000001810000-memory.dmp

Filesize
10.0MB

Download
memory/2648-626-0x0000000000E10000-0x0000000001810000-memory.dmp

Filesize
10.0MB

Download
memory/2648-623-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3088-587-0x00007FF923670000-0x00007FF924131000-memory.dmp

Filesize
10.8MB

Download
memory/3088-433-0x00007FF923670000-0x00007FF924131000-memory.dmp

Filesize
10.8MB

Download
memory/3088-543-0x00007FF923670000-0x00007FF924131000-memory.dmp

Filesize
10.8MB

Download
memory/3088-446-0x000002E577480000-0x000002E577490000-memory.dmp

Filesize
64KB

Download
memory/3088-545-0x000002E577480000-0x000002E577490000-memory.dmp

Filesize
64KB

Download
memory/3088-544-0x000002E577480000-0x000002E577490000-memory.dmp

Filesize
64KB

Download
memory/3428-416-0x00007FF923670000-0x00007FF924131000-memory.dmp

Filesize
10.8MB

Download
memory/3428-427-0x00000218545F0000-0x0000021854600000-memory.dmp

Filesize
64KB

Download
memory/3428-393-0x00007FF923670000-0x00007FF924131000-memory.dmp

Filesize
10.8MB

Download
memory/3428-394-0x00000218545F0000-0x0000021854600000-memory.dmp

Filesize
64KB

Download
memory/3428-429-0x00007FF923670000-0x00007FF924131000-memory.dmp

Filesize
10.8MB

Download
memory/3428-417-0x00000218545F0000-0x0000021854600000-memory.dmp

Filesize
64KB

Download
memory/3788-743-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/3812-338-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/3812-332-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/3812-326-0x0000000000320000-0x000000000115B000-memory.dmp

Filesize
14.2MB

Download
memory/3812-335-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/3812-334-0x0000000000320000-0x000000000115B000-memory.dmp

Filesize
14.2MB

Download
memory/3812-333-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/3812-339-0x0000000000320000-0x000000000115B000-memory.dmp

Filesize
14.2MB

Download
memory/3812-336-0x0000000001710000-0x0000000001711000-memory.dmp

Filesize
4KB

Download
memory/3812-368-0x0000000000320000-0x000000000115B000-memory.dmp

Filesize
14.2MB

Download
memory/3812-337-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/3960-660-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/3960-658-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4252-726-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4252-728-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4316-594-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4316-604-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4620-692-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4620-694-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4656-219-0x000001E253DA0000-0x000001E253DEE000-memory.dmp

Filesize
312KB

Download
memory/4656-140-0x00007FF942A50000-0x00007FF942A52000-memory.dmp

Filesize
8KB

Download
memory/4656-135-0x00007FF9450C0000-0x00007FF9450C2000-memory.dmp

Filesize
8KB

Download
memory/4656-134-0x00007FF763760000-0x00007FF766599000-memory.dmp

Filesize
46.2MB

Download
memory/4656-253-0x000001E253DF0000-0x000001E253F05000-memory.dmp

Filesize
1.1MB

Download
memory/4656-136-0x00007FF9450D0000-0x00007FF9450D2000-memory.dmp

Filesize
8KB

Download
memory/4656-137-0x00007FF944460000-0x00007FF944462000-memory.dmp

Filesize
8KB

Download
memory/4656-619-0x00007FF763760000-0x00007FF766599000-memory.dmp

Filesize
46.2MB

Download
memory/4656-415-0x000001E253DF0000-0x000001E253F05000-memory.dmp

Filesize
1.1MB

Download
memory/4656-133-0x00007FF9450B0000-0x00007FF9450B2000-memory.dmp

Filesize
8KB

Download
memory/4656-178-0x00007FF763760000-0x00007FF766599000-memory.dmp

Filesize
46.2MB

Download
memory/4656-390-0x000001E253DF0000-0x000001E253F05000-memory.dmp

Filesize
1.1MB

Download
memory/4656-141-0x00007FF763760000-0x00007FF766599000-memory.dmp

Filesize
46.2MB

Download
memory/4656-138-0x00007FF944470000-0x00007FF944472000-memory.dmp

Filesize
8KB

Download
memory/4656-139-0x00007FF942A40000-0x00007FF942A42000-memory.dmp

Filesize
8KB

Download
memory/4712-572-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/4712-569-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/5004-675-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/5004-677-0x0000000000480000-0x00000000012BB000-memory.dmp

Filesize
14.2MB

Download
memory/5112-430-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download