Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 02:09

General

  • Target

    a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d.exe

  • Size

    1.0MB

  • MD5

    ef80b96fcb482b949074842e2d3e7ec2

  • SHA1

    afc927cf43fa7ae3ba78d262e542ef748ff71080

  • SHA256

    a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d

  • SHA512

    3fb090efa127f4ecd67e8bdefbc3dd934f08e528a2896ade3d4d130824eda5b24f862c8b642f1adafd544de6eec75aeed59503624822301d0f7dda5b23ad3222

  • SSDEEP

    24576:XyTZytGs6/dn4CTJV0gPtwuBoascPakRjC2mmJpHr:ihbVn4a0UZPPRjCiN

Malware Config

Extracted

Family

redline

Botnet

jordan

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d.exe
    "C:\Users\Admin\AppData\Local\Temp\a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:820
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2972
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3624
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:2384
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 540
                    8⤵
                    • Program crash
                    PID:3432
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 616
                  7⤵
                  • Program crash
                  PID:3928
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:740
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:2352
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 152
                  6⤵
                  • Program crash
                  PID:2204
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4120
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1888
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:4528
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1876
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    7⤵
                      PID:3700
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "explothe.exe" /P "Admin:N"
                      7⤵
                        PID:4596
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "explothe.exe" /P "Admin:R" /E
                        7⤵
                          PID:1512
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          7⤵
                            PID:4212
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\fefffe8cea" /P "Admin:N"
                            7⤵
                              PID:1804
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "..\fefffe8cea" /P "Admin:R" /E
                              7⤵
                                PID:3864
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                              6⤵
                              • Loads dropped DLL
                              PID:3384
                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe
                        3⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3984
                        • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                          "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
                          4⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:432
                          • C:\Windows\SysWOW64\schtasks.exe
                            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
                            5⤵
                            • Creates scheduled task(s)
                            PID:4112
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
                            5⤵
                              PID:5088
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                6⤵
                                  PID:2428
                                • C:\Windows\SysWOW64\cacls.exe
                                  CACLS "legota.exe" /P "Admin:N"
                                  6⤵
                                    PID:1036
                                  • C:\Windows\SysWOW64\cacls.exe
                                    CACLS "legota.exe" /P "Admin:R" /E
                                    6⤵
                                      PID:4268
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      6⤵
                                        PID:2296
                                      • C:\Windows\SysWOW64\cacls.exe
                                        CACLS "..\cb378487cf" /P "Admin:N"
                                        6⤵
                                          PID:4092
                                        • C:\Windows\SysWOW64\cacls.exe
                                          CACLS "..\cb378487cf" /P "Admin:R" /E
                                          6⤵
                                            PID:2004
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                          5⤵
                                          • Loads dropped DLL
                                          PID:1100
                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe
                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe
                                    2⤵
                                    • Executes dropped EXE
                                    PID:464
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\AC00.tmp\AC01.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe"
                                      3⤵
                                        PID:1424
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
                                          4⤵
                                          • Enumerates system info in registry
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1496
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9a72646f8,0x7ff9a7264708,0x7ff9a7264718
                                            5⤵
                                              PID:4116
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
                                              5⤵
                                                PID:740
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1068
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2500 /prefetch:2
                                                5⤵
                                                  PID:2204
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
                                                  5⤵
                                                    PID:3392
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                                                    5⤵
                                                      PID:4772
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
                                                      5⤵
                                                        PID:1036
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                                                        5⤵
                                                          PID:4260
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                                                          5⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3172
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                                                          5⤵
                                                            PID:1048
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
                                                            5⤵
                                                              PID:4532
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
                                                              5⤵
                                                                PID:4092
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
                                                                5⤵
                                                                  PID:776
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
                                                                  5⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:1816
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                                4⤵
                                                                  PID:2900
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9a72646f8,0x7ff9a7264708,0x7ff9a7264718
                                                                    5⤵
                                                                      PID:4444
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,7382360727829346212,15927825564027678032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
                                                                      5⤵
                                                                        PID:3328
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,7382360727829346212,15927825564027678032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
                                                                        5⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:1084
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3624 -ip 3624
                                                                1⤵
                                                                  PID:3616
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2384 -ip 2384
                                                                  1⤵
                                                                    PID:2976
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 740 -ip 740
                                                                    1⤵
                                                                      PID:2036
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:3744
                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                        1⤵
                                                                          PID:3380
                                                                        • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          PID:4188
                                                                        • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          PID:4740
                                                                        • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          PID:1808
                                                                        • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          PID:4480

                                                                        Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3bfea12c-c3d4-4daf-a560-dc14beb68e4b.tmp

                                                                                Filesize

                                                                                10KB

                                                                                MD5

                                                                                32b586c1bdcc9de55941948b8a2570c7

                                                                                SHA1

                                                                                8def6291ae6824a2c5e5538618681d8924c0b125

                                                                                SHA256

                                                                                ad5d285e014f3654859192abdbd27f05842e6799bcf624a3973003738b2a5e35

                                                                                SHA512

                                                                                1212f133bafc757614791e9b48e1361ba811c8ef1bd6753bcaa74c13bea0c58406358132f243545bce29a2e56e9554da7242ef026aa5fe1d8dffe33307008c99

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3d5af55f794f9a10c5943d2f80dde5c5

                                                                                SHA1

                                                                                5252adf87d6bd769f2c39b9e8eba77b087a0160d

                                                                                SHA256

                                                                                43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

                                                                                SHA512

                                                                                2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3d5af55f794f9a10c5943d2f80dde5c5

                                                                                SHA1

                                                                                5252adf87d6bd769f2c39b9e8eba77b087a0160d

                                                                                SHA256

                                                                                43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

                                                                                SHA512

                                                                                2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3d5af55f794f9a10c5943d2f80dde5c5

                                                                                SHA1

                                                                                5252adf87d6bd769f2c39b9e8eba77b087a0160d

                                                                                SHA256

                                                                                43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

                                                                                SHA512

                                                                                2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                7a602869e579f44dfa2a249baa8c20fe

                                                                                SHA1

                                                                                e0ac4a8508f60cb0408597eb1388b3075e27383f

                                                                                SHA256

                                                                                9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5

                                                                                SHA512

                                                                                1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3d5af55f794f9a10c5943d2f80dde5c5

                                                                                SHA1

                                                                                5252adf87d6bd769f2c39b9e8eba77b087a0160d

                                                                                SHA256

                                                                                43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

                                                                                SHA512

                                                                                2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3d5af55f794f9a10c5943d2f80dde5c5

                                                                                SHA1

                                                                                5252adf87d6bd769f2c39b9e8eba77b087a0160d

                                                                                SHA256

                                                                                43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

                                                                                SHA512

                                                                                2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3d5af55f794f9a10c5943d2f80dde5c5

                                                                                SHA1

                                                                                5252adf87d6bd769f2c39b9e8eba77b087a0160d

                                                                                SHA256

                                                                                43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

                                                                                SHA512

                                                                                2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\81078522-596a-44df-bc18-0f5392b1138f.tmp

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                e02a13cfdf7640f1931a8a291a47c7ca

                                                                                SHA1

                                                                                477f174776cf20e2df9e5e4bde300f1de7d0654a

                                                                                SHA256

                                                                                95de271c7a6fefe5d883c4ca70141c121b69258f4e97042e86487c4d83d8e8c6

                                                                                SHA512

                                                                                88359542796af01eb2dafc9f95ece1f81b226755a2f3c0ba26c059f1004b343b7913eb17dfcfbe94fee9280b42fcd7435c2a897549134fe710e8e6798627de41

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                1a77a27cb4e203ea7441e30b9fe0e0dd

                                                                                SHA1

                                                                                67d17345512514bb81fe30bfd474c98809bf1cd5

                                                                                SHA256

                                                                                f06d782c6c6fa3922a63d7a2d6ae47b2031f5c8971c0ba4eef5949b92caebfd0

                                                                                SHA512

                                                                                418e3d85d14c73864c10adce983a7e1098485cd40e34d607ad92c247886bc08b9acffaa977217f7176cf6776146955d90f32807253ec1611abc60ff9178c71db

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                d1031a27043b95973abf61b6ea458b7f

                                                                                SHA1

                                                                                80c7888ce0e42f43a4f680af8ad47586a426e52c

                                                                                SHA256

                                                                                dcaaa503c139ab78315ddb55b6702a16559ef6e8681f1f6ba71c0e72093a3f78

                                                                                SHA512

                                                                                38c265c648287be8e4747965d056564688419a9b12ea3e985d0f123e67b0aee980aaea0e437db44faa5484ab7c3f2a5293d8ac372b5370b378375e0fb209f882

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                Filesize

                                                                                111B

                                                                                MD5

                                                                                285252a2f6327d41eab203dc2f402c67

                                                                                SHA1

                                                                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                SHA256

                                                                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                SHA512

                                                                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                Filesize

                                                                                6KB

                                                                                MD5

                                                                                379215fb7a4ca49834652232569b0859

                                                                                SHA1

                                                                                95dbc147e17b8eb9b5e9ec5f8e774dfee0eb75f3

                                                                                SHA256

                                                                                9ebc20f340ebc83279809034e95b875adfcb51df34bd57adb5a2402c51ee6676

                                                                                SHA512

                                                                                8fd8fd9a7ecc3879487669ecf36768a83c1dc96bb7cf14e589d5de8d27afa132f3b518b1294bdd326b8612da02e37c9d7fa433f56142b6af8c2fdaf2b9690252

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                Filesize

                                                                                5KB

                                                                                MD5

                                                                                cc601327cdbd829e94eb5290e20c60ff

                                                                                SHA1

                                                                                86bc2092a2b5844c52dc4951d88ff893137aa34e

                                                                                SHA256

                                                                                9e26e9f03e2842c374c939045d6932e96c09a8d733d03331e71ea98b73898e60

                                                                                SHA512

                                                                                8515162cecd6180ba153e8269fed832be58d174556d4d31ec56bddeeed75554b01572b95240cf73ca8e8c214ea20ce7d6bc1f4d8f5b715bdd5320d4dc0205c03

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                Filesize

                                                                                24KB

                                                                                MD5

                                                                                10f5b64000466c1e6da25fb5a0115924

                                                                                SHA1

                                                                                cb253bacf2b087c4040eb3c6a192924234f68639

                                                                                SHA256

                                                                                d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b

                                                                                SHA512

                                                                                8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                Filesize

                                                                                862B

                                                                                MD5

                                                                                4bcbfc3f81ed45b59227ff34c3adb982

                                                                                SHA1

                                                                                2b7334ef9606ffa9040c33139c66a696b0d6cd7d

                                                                                SHA256

                                                                                c15adba65eb11f843cc919ce7e40008cd9c2be967f0414259a4c9a3390f39b37

                                                                                SHA512

                                                                                3ff384000e8c8ce2ee573a9e190b2cb7164402a7334809a52a54aeff1ebcf8940ad1995382eeb42917f987381cc174ddd3f3b203e5604c9d505f9c291d2a063d

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                Filesize

                                                                                864B

                                                                                MD5

                                                                                cc27a872f90e56f93aa1f4acf48fdffa

                                                                                SHA1

                                                                                93c01297d9888bcfb2c7ba347ba783368d6fd1d0

                                                                                SHA256

                                                                                088b7e1260f751ce440f0f8363b7accb664622fc5da73eccacfc7b58933d2c53

                                                                                SHA512

                                                                                1308a050ab7f88e7d60c1f09fba525ad28690c901563836c2b2272c50cdb6c83ea325ca7293d3225e5ff28190f4aa64b1bf3387a3fd3b03f881189bb67f370e1

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d7d.TMP

                                                                                Filesize

                                                                                862B

                                                                                MD5

                                                                                b7647e7c07544aa3c82e1b1ede58b809

                                                                                SHA1

                                                                                1e5212c18ead3d752c8a9d4c5c025a2eb09539e8

                                                                                SHA256

                                                                                c92c7bdbc1d3158dfb838fd76a9ca3af7c5552cfb90fd16ecdeb874711089431

                                                                                SHA512

                                                                                a886199aadd340084402f0021e1d77b20e0c9da0e82cd7ad5fef644065b349877991a575a0c2f1eccb1779a933d6cc96566fb86cd1855857caf727ac59fc92ef

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                Filesize

                                                                                16B

                                                                                MD5

                                                                                6752a1d65b201c13b62ea44016eb221f

                                                                                SHA1

                                                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                SHA256

                                                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                SHA512

                                                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                4446a480a8e9b5fe6efef9e4677d6e42

                                                                                SHA1

                                                                                e2f2184087540389b0ada66401f8c5f99377dc9c

                                                                                SHA256

                                                                                3993de71d892c940fb2d8be2de2dece7f54a6e94d48718f64cfdecba7efb4122

                                                                                SHA512

                                                                                1067404512ce4c458e7db22c688eb51157cc4068ae222f4ba77bbc4845d4d17a2a3ea06b3a8cb4fc47e9874bf468dd960fa96c4db036f3f99f7d48b63d972f07

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                4446a480a8e9b5fe6efef9e4677d6e42

                                                                                SHA1

                                                                                e2f2184087540389b0ada66401f8c5f99377dc9c

                                                                                SHA256

                                                                                3993de71d892c940fb2d8be2de2dece7f54a6e94d48718f64cfdecba7efb4122

                                                                                SHA512

                                                                                1067404512ce4c458e7db22c688eb51157cc4068ae222f4ba77bbc4845d4d17a2a3ea06b3a8cb4fc47e9874bf468dd960fa96c4db036f3f99f7d48b63d972f07

                                                                              • C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\AC00.tmp\AC01.bat

                                                                                Filesize

                                                                                90B

                                                                                MD5

                                                                                5a115a88ca30a9f57fdbb545490c2043

                                                                                SHA1

                                                                                67e90f37fc4c1ada2745052c612818588a5595f4

                                                                                SHA256

                                                                                52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

                                                                                SHA512

                                                                                17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                d5a325a2f73a22cae1d7128d77d0cd6b

                                                                                SHA1

                                                                                107ac44ca5e19e7c3610bc893ccc161d8b48379f

                                                                                SHA256

                                                                                f831569038447149e773bfaf34d6fa7bf6e987523f61820ffdf4527df1ff10b2

                                                                                SHA512

                                                                                64cafe7ad74cf5b0ab22ae5288d1e5e873d61a6c656bad98855ad2b55a6e41e9e316b840514e07c4539c0614a5a911f1571b9690a55d3a556ae0335902fa973e

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                d5a325a2f73a22cae1d7128d77d0cd6b

                                                                                SHA1

                                                                                107ac44ca5e19e7c3610bc893ccc161d8b48379f

                                                                                SHA256

                                                                                f831569038447149e773bfaf34d6fa7bf6e987523f61820ffdf4527df1ff10b2

                                                                                SHA512

                                                                                64cafe7ad74cf5b0ab22ae5288d1e5e873d61a6c656bad98855ad2b55a6e41e9e316b840514e07c4539c0614a5a911f1571b9690a55d3a556ae0335902fa973e

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe

                                                                                Filesize

                                                                                906KB

                                                                                MD5

                                                                                cf0cf3fe598de22ece6e6f0e3d2963aa

                                                                                SHA1

                                                                                9f7c2c964b68de908c6f69c350def64d10406c91

                                                                                SHA256

                                                                                003feb5481bdff1f81b15d7ccfa9a972ccc0e10379cddf86d7011bfcdc3f2143

                                                                                SHA512

                                                                                0ffce94742dcdb9d1605567eb1c1ff2c04cab7b6c404b146f9b52ebb8f017ec461666f5586bb2d3669a32249da118970394afc0a518b8f817a68b64eea5e2438

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe

                                                                                Filesize

                                                                                906KB

                                                                                MD5

                                                                                cf0cf3fe598de22ece6e6f0e3d2963aa

                                                                                SHA1

                                                                                9f7c2c964b68de908c6f69c350def64d10406c91

                                                                                SHA256

                                                                                003feb5481bdff1f81b15d7ccfa9a972ccc0e10379cddf86d7011bfcdc3f2143

                                                                                SHA512

                                                                                0ffce94742dcdb9d1605567eb1c1ff2c04cab7b6c404b146f9b52ebb8f017ec461666f5586bb2d3669a32249da118970394afc0a518b8f817a68b64eea5e2438

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe

                                                                                Filesize

                                                                                723KB

                                                                                MD5

                                                                                045ab4cd35098519fe9f8a9ab38ddd8a

                                                                                SHA1

                                                                                84f813a7a27d6bf9ff48b426543255e02c350aa5

                                                                                SHA256

                                                                                5fc180fae596d1d0f87ef0998955525bc72ec5b3c261da066cd43bacb070de83

                                                                                SHA512

                                                                                f03c787e5c6f585d665e736fbc2338fc2bd03f6dcbbb84480053a3eae03c8d2638baabc25d74e16b963946aaf33d3ffd00439e2cecde7bdf4cc42ddd9c091483

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe

                                                                                Filesize

                                                                                723KB

                                                                                MD5

                                                                                045ab4cd35098519fe9f8a9ab38ddd8a

                                                                                SHA1

                                                                                84f813a7a27d6bf9ff48b426543255e02c350aa5

                                                                                SHA256

                                                                                5fc180fae596d1d0f87ef0998955525bc72ec5b3c261da066cd43bacb070de83

                                                                                SHA512

                                                                                f03c787e5c6f585d665e736fbc2338fc2bd03f6dcbbb84480053a3eae03c8d2638baabc25d74e16b963946aaf33d3ffd00439e2cecde7bdf4cc42ddd9c091483

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe

                                                                                Filesize

                                                                                540KB

                                                                                MD5

                                                                                92c52cd44b26165359404b44e68d5d2d

                                                                                SHA1

                                                                                0ac4acbede053b6c660fe218d9fe04fec7f04a5c

                                                                                SHA256

                                                                                10fadf5c37b3c7a9ede4f5e38727061be8eac968dd6592440d171c85a3061c5c

                                                                                SHA512

                                                                                13b7ac0d029384c2d5970960d2f1dc9e4dc08a74adee456e98e04c5e4ed396f9c1c38800833f6ced60a41a5321386bf4ed5af7c2fe21704bfbb6a7d28b47eaa1

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe

                                                                                Filesize

                                                                                540KB

                                                                                MD5

                                                                                92c52cd44b26165359404b44e68d5d2d

                                                                                SHA1

                                                                                0ac4acbede053b6c660fe218d9fe04fec7f04a5c

                                                                                SHA256

                                                                                10fadf5c37b3c7a9ede4f5e38727061be8eac968dd6592440d171c85a3061c5c

                                                                                SHA512

                                                                                13b7ac0d029384c2d5970960d2f1dc9e4dc08a74adee456e98e04c5e4ed396f9c1c38800833f6ced60a41a5321386bf4ed5af7c2fe21704bfbb6a7d28b47eaa1

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe

                                                                                Filesize

                                                                                367KB

                                                                                MD5

                                                                                603610af9206c572a47a8603db17c9ea

                                                                                SHA1

                                                                                a30df84b937036c370b5a6b415778583a41f5870

                                                                                SHA256

                                                                                d61954427b7918e4540fc315516922d34af9414188edd0a0c808d3191659cf38

                                                                                SHA512

                                                                                043022524bf5f111f54a12f0d4e7d9ab8ec30f3c5701a8d06e1f6732f5890663a877cd1da63b1dfa262e79faf282216b2fbc010c267d6f2725620b1a4efb8051

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe

                                                                                Filesize

                                                                                367KB

                                                                                MD5

                                                                                603610af9206c572a47a8603db17c9ea

                                                                                SHA1

                                                                                a30df84b937036c370b5a6b415778583a41f5870

                                                                                SHA256

                                                                                d61954427b7918e4540fc315516922d34af9414188edd0a0c808d3191659cf38

                                                                                SHA512

                                                                                043022524bf5f111f54a12f0d4e7d9ab8ec30f3c5701a8d06e1f6732f5890663a877cd1da63b1dfa262e79faf282216b2fbc010c267d6f2725620b1a4efb8051

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe

                                                                                Filesize

                                                                                293KB

                                                                                MD5

                                                                                90b9abe1d8acd4cfdb6375dfa2f5c712

                                                                                SHA1

                                                                                56b5862592a4671ab354751f3d31dbda255413a5

                                                                                SHA256

                                                                                ec0f7bf244f819b1767f77782c404ae7b80df0d427a2227bd28d4d8708ea89ac

                                                                                SHA512

                                                                                afea7bd7f014ca1a2b8d59c0cd7546ae618166dd9942906b53bb0d5ba2b116ebf6844ff33a536a3e2ded403fc2554e5fb259cc6defb1112d7a837b47ba728f6a

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe

                                                                                Filesize

                                                                                293KB

                                                                                MD5

                                                                                90b9abe1d8acd4cfdb6375dfa2f5c712

                                                                                SHA1

                                                                                56b5862592a4671ab354751f3d31dbda255413a5

                                                                                SHA256

                                                                                ec0f7bf244f819b1767f77782c404ae7b80df0d427a2227bd28d4d8708ea89ac

                                                                                SHA512

                                                                                afea7bd7f014ca1a2b8d59c0cd7546ae618166dd9942906b53bb0d5ba2b116ebf6844ff33a536a3e2ded403fc2554e5fb259cc6defb1112d7a837b47ba728f6a

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe

                                                                                Filesize

                                                                                12KB

                                                                                MD5

                                                                                24591fa100dd833a8c531be0caeb0ffd

                                                                                SHA1

                                                                                6939a47c91934aeaa94c4cdd9d260280f34611c0

                                                                                SHA256

                                                                                866c7c4656982d26196df66f794d593368cbbc7815cd5c82213c71d06fa9f67e

                                                                                SHA512

                                                                                281a59cefad73f543975aa764d3e8a96915b3c3cfebae529b468bb230c9f6b6ccb1f5f9c717efc795670448ab759a6905e38df9ce25a3c131da59f158e4e4915

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe

                                                                                Filesize

                                                                                12KB

                                                                                MD5

                                                                                24591fa100dd833a8c531be0caeb0ffd

                                                                                SHA1

                                                                                6939a47c91934aeaa94c4cdd9d260280f34611c0

                                                                                SHA256

                                                                                866c7c4656982d26196df66f794d593368cbbc7815cd5c82213c71d06fa9f67e

                                                                                SHA512

                                                                                281a59cefad73f543975aa764d3e8a96915b3c3cfebae529b468bb230c9f6b6ccb1f5f9c717efc795670448ab759a6905e38df9ce25a3c131da59f158e4e4915

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe

                                                                                Filesize

                                                                                285KB

                                                                                MD5

                                                                                f27c15e48f36181b4d16d9188bcd6d65

                                                                                SHA1

                                                                                3655a14775e7574f8fdefa4ab260b7efb267b5be

                                                                                SHA256

                                                                                bc51a7ca6c7de7c274743b0babc5308c6ff75d42b5fa53a6ddfd15e8dd08819d

                                                                                SHA512

                                                                                62a47929d8acc4102b9dd80b63a3c506fe6af7a20d16577113f83b947919651e063054d57f313565bfd36a11a701095a85440ad7c28d8b2ce812ef1593fef71c

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe

                                                                                Filesize

                                                                                285KB

                                                                                MD5

                                                                                f27c15e48f36181b4d16d9188bcd6d65

                                                                                SHA1

                                                                                3655a14775e7574f8fdefa4ab260b7efb267b5be

                                                                                SHA256

                                                                                bc51a7ca6c7de7c274743b0babc5308c6ff75d42b5fa53a6ddfd15e8dd08819d

                                                                                SHA512

                                                                                62a47929d8acc4102b9dd80b63a3c506fe6af7a20d16577113f83b947919651e063054d57f313565bfd36a11a701095a85440ad7c28d8b2ce812ef1593fef71c

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                e913b0d252d36f7c9b71268df4f634fb

                                                                                SHA1

                                                                                5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                SHA256

                                                                                4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                SHA512

                                                                                3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                e913b0d252d36f7c9b71268df4f634fb

                                                                                SHA1

                                                                                5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                SHA256

                                                                                4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                SHA512

                                                                                3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                e913b0d252d36f7c9b71268df4f634fb

                                                                                SHA1

                                                                                5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                SHA256

                                                                                4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                SHA512

                                                                                3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                                                                                Filesize

                                                                                273B

                                                                                MD5

                                                                                a5b509a3fb95cc3c8d89cd39fc2a30fb

                                                                                SHA1

                                                                                5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

                                                                                SHA256

                                                                                5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

                                                                                SHA512

                                                                                3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                ec41f740797d2253dc1902e71941bbdb

                                                                                SHA1

                                                                                407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                SHA256

                                                                                47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                SHA512

                                                                                e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                ec41f740797d2253dc1902e71941bbdb

                                                                                SHA1

                                                                                407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                SHA256

                                                                                47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                SHA512

                                                                                e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                ec41f740797d2253dc1902e71941bbdb

                                                                                SHA1

                                                                                407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                SHA256

                                                                                47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                SHA512

                                                                                e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                                                                                Filesize

                                                                                273B

                                                                                MD5

                                                                                6d5040418450624fef735b49ec6bffe9

                                                                                SHA1

                                                                                5fff6a1a620a5c4522aead8dbd0a5a52570e8773

                                                                                SHA256

                                                                                dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

                                                                                SHA512

                                                                                bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

                                                                              • memory/2352-59-0x0000000005070000-0x0000000005080000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/2352-56-0x0000000007540000-0x00000000075D2000-memory.dmp

                                                                                Filesize

                                                                                584KB

                                                                              • memory/2352-81-0x0000000007890000-0x000000000799A000-memory.dmp

                                                                                Filesize

                                                                                1.0MB

                                                                              • memory/2352-79-0x00000000086C0000-0x0000000008CD8000-memory.dmp

                                                                                Filesize

                                                                                6.1MB

                                                                              • memory/2352-84-0x00000000077C0000-0x00000000077D2000-memory.dmp

                                                                                Filesize

                                                                                72KB

                                                                              • memory/2352-85-0x0000000007820000-0x000000000785C000-memory.dmp

                                                                                Filesize

                                                                                240KB

                                                                              • memory/2352-246-0x0000000005070000-0x0000000005080000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/2352-241-0x0000000072FF0000-0x00000000737A0000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/2352-88-0x00000000079A0000-0x00000000079EC000-memory.dmp

                                                                                Filesize

                                                                                304KB

                                                                              • memory/2352-61-0x00000000075F0000-0x00000000075FA000-memory.dmp

                                                                                Filesize

                                                                                40KB

                                                                              • memory/2352-50-0x0000000000400000-0x000000000043E000-memory.dmp

                                                                                Filesize

                                                                                248KB

                                                                              • memory/2352-51-0x0000000072FF0000-0x00000000737A0000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/2352-55-0x0000000007AF0000-0x0000000008094000-memory.dmp

                                                                                Filesize

                                                                                5.6MB

                                                                              • memory/2384-43-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/2384-46-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/2384-44-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/2384-42-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/2972-38-0x00007FF9A6A90000-0x00007FF9A7551000-memory.dmp

                                                                                Filesize

                                                                                10.8MB

                                                                              • memory/2972-35-0x0000000000D30000-0x0000000000D3A000-memory.dmp

                                                                                Filesize

                                                                                40KB

                                                                              • memory/2972-36-0x00007FF9A6A90000-0x00007FF9A7551000-memory.dmp

                                                                                Filesize

                                                                                10.8MB