Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 11:58

General

  • Target

    c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe

  • Size

    1.4MB

  • MD5

    db96a7a01d5ef13df1197c943926af9d

  • SHA1

    f33f12bb25c3acae5e62c118c80899a796b6fb53

  • SHA256

    c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872

  • SHA512

    8efe7b2297c424e4d9e94f6fa210655f254c323c22a5601fd25b165c166f028c3e8f35329151b658dd324125f402209df502512c5114bedadeed1291c16e8a73

  • SSDEEP

    24576:xyfFiHD+Bt1xPf1yp8Hf0Ynq2sYkOR9u5//kf0xk7HMp8DqM/hUeK8B:kfFEyTT/0Yn2YkOR9u5//kxT9e

Malware Config

Extracted

Family

redline

Botnet

jordan

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe
    "C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3728
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3580
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:368
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:2940
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 540
                    8⤵
                    • Program crash
                    PID:4220
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 596
                  7⤵
                  • Program crash
                  PID:2572
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1136
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:4224
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 156
                  6⤵
                  • Program crash
                  PID:3132
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2588
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4656
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:4068
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
                  6⤵
                    PID:4780
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:2164
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "explothe.exe" /P "Admin:N"
                        7⤵
                          PID:524
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "explothe.exe" /P "Admin:R" /E
                          7⤵
                            PID:1768
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            7⤵
                              PID:432
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "..\fefffe8cea" /P "Admin:N"
                              7⤵
                                PID:3992
                              • C:\Windows\SysWOW64\cacls.exe
                                CACLS "..\fefffe8cea" /P "Admin:R" /E
                                7⤵
                                  PID:3976
                              • C:\Windows\SysWOW64\rundll32.exe
                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                                6⤵
                                • Loads dropped DLL
                                PID:5164
                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
                          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
                          3⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:4864
                          • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                            "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
                            4⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:4452
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
                              5⤵
                              • Creates scheduled task(s)
                              PID:8
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
                              5⤵
                                PID:2204
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  6⤵
                                    PID:5012
                                  • C:\Windows\SysWOW64\cacls.exe
                                    CACLS "legota.exe" /P "Admin:N"
                                    6⤵
                                      PID:3736
                                    • C:\Windows\SysWOW64\cacls.exe
                                      CACLS "legota.exe" /P "Admin:R" /E
                                      6⤵
                                        PID:4748
                                      • C:\Windows\SysWOW64\cacls.exe
                                        CACLS "..\cb378487cf" /P "Admin:N"
                                        6⤵
                                          PID:4740
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                          6⤵
                                            PID:4336
                                          • C:\Windows\SysWOW64\cacls.exe
                                            CACLS "..\cb378487cf" /P "Admin:R" /E
                                            6⤵
                                              PID:1472
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                            5⤵
                                            • Loads dropped DLL
                                            PID:3812
                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:3876
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA9E.tmp\EA9F.tmp\EAA0.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe"
                                        3⤵
                                          PID:4552
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
                                            4⤵
                                            • Enumerates system info in registry
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:2488
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa5d0946f8,0x7ffa5d094708,0x7ffa5d094718
                                              5⤵
                                                PID:3056
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
                                                5⤵
                                                  PID:4900
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
                                                  5⤵
                                                    PID:2196
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:4572
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                                                    5⤵
                                                      PID:4068
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                                                      5⤵
                                                        PID:4200
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
                                                        5⤵
                                                          PID:4712
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
                                                          5⤵
                                                            PID:3820
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
                                                            5⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:4724
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                                                            5⤵
                                                              PID:220
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                                                              5⤵
                                                                PID:2516
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
                                                                5⤵
                                                                  PID:2568
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
                                                                  5⤵
                                                                    PID:3816
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2
                                                                    5⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:5824
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                                  4⤵
                                                                    PID:1904
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa5d0946f8,0x7ffa5d094708,0x7ffa5d094718
                                                                      5⤵
                                                                        PID:2928
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,17341027096377107078,9797894429993711241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
                                                                        5⤵
                                                                          PID:388
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,17341027096377107078,9797894429993711241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
                                                                          5⤵
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:2588
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 368 -ip 368
                                                                  1⤵
                                                                    PID:60
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2940 -ip 2940
                                                                    1⤵
                                                                      PID:2848
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1136 -ip 1136
                                                                      1⤵
                                                                        PID:3816
                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                        1⤵
                                                                          PID:3992
                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                          1⤵
                                                                            PID:3820
                                                                          • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:6096
                                                                          • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:6112
                                                                          • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:5804
                                                                          • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:5772

                                                                          Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                  Filesize

                                                                                  152B

                                                                                  MD5

                                                                                  bf009481892dd0d1c49db97428428ede

                                                                                  SHA1

                                                                                  aee4e7e213f6332c1629a701b42335eb1a035c66

                                                                                  SHA256

                                                                                  18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

                                                                                  SHA512

                                                                                  d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                  Filesize

                                                                                  152B

                                                                                  MD5

                                                                                  bf009481892dd0d1c49db97428428ede

                                                                                  SHA1

                                                                                  aee4e7e213f6332c1629a701b42335eb1a035c66

                                                                                  SHA256

                                                                                  18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

                                                                                  SHA512

                                                                                  d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                  Filesize

                                                                                  152B

                                                                                  MD5

                                                                                  45fe8440c5d976b902cfc89fb780a578

                                                                                  SHA1

                                                                                  5696962f2d0e89d4c561acd58483b0a4ffeab800

                                                                                  SHA256

                                                                                  f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96

                                                                                  SHA512

                                                                                  efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                  Filesize

                                                                                  152B

                                                                                  MD5

                                                                                  bf009481892dd0d1c49db97428428ede

                                                                                  SHA1

                                                                                  aee4e7e213f6332c1629a701b42335eb1a035c66

                                                                                  SHA256

                                                                                  18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

                                                                                  SHA512

                                                                                  d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                  Filesize

                                                                                  152B

                                                                                  MD5

                                                                                  bf009481892dd0d1c49db97428428ede

                                                                                  SHA1

                                                                                  aee4e7e213f6332c1629a701b42335eb1a035c66

                                                                                  SHA256

                                                                                  18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

                                                                                  SHA512

                                                                                  d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c990a12-a2dd-417e-b51a-f85b00de87f1.tmp

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  e59cd6e519265a56a3334ec85bf9cff1

                                                                                  SHA1

                                                                                  334707ed091bebaf0d6c2c803b9442aa78372d3d

                                                                                  SHA256

                                                                                  ee63e0fbc655fed0edb0431d03f00622ae12af1f15d3e7113f2094abee6537a4

                                                                                  SHA512

                                                                                  3d52dd37f7ec24084c5c0e4c33d670e28326a727d0172cc955a9d59f40525cf26d1c2d483213bb5da50d666b3cb3efd9e1ebc3e6d43989d065317c09ee3e9c40

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  89fd01d4dbf5e14f4d8a6cceaf6aac8d

                                                                                  SHA1

                                                                                  2ef5743aedf51606116ec1281358cf0bc91bbd52

                                                                                  SHA256

                                                                                  e9e99f9d89ab13a6fba7e1b6e95e07ae6ce55612c67b02504c21eda331a3d4cc

                                                                                  SHA512

                                                                                  7c58983e89fef401813f8ed93417de0c2f1398359b0489632435d5f09409562913eac0abc1bae8183245a428e7088a24b834520037054693f48dea68517d1a22

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                  Filesize

                                                                                  111B

                                                                                  MD5

                                                                                  285252a2f6327d41eab203dc2f402c67

                                                                                  SHA1

                                                                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                  SHA256

                                                                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                  SHA512

                                                                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                  Filesize

                                                                                  6KB

                                                                                  MD5

                                                                                  545829f2e1789d490ec3ca0bbfda1245

                                                                                  SHA1

                                                                                  9b8f6ef048279581c0e22bc9150e61ff805ba682

                                                                                  SHA256

                                                                                  aad40353adc00e60bdd46616b1eec6cbc217210786418b4cd063669caa8ca900

                                                                                  SHA512

                                                                                  1411c221fd2f67762a56a186e2af2ed032f6591df1c9bb0adc36fae8fcf4340e0994cbcce25ead03bdee2d7b6dc56a6d454fa9b071e8f575eb48c454162acf42

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                  Filesize

                                                                                  5KB

                                                                                  MD5

                                                                                  a95fe7a1b7f36816116efc0c209b9008

                                                                                  SHA1

                                                                                  07435d8e7c92416c16f9779274604003c1dde9f1

                                                                                  SHA256

                                                                                  2cf5e3adfecafc3c26e4cec77081ecc06408abd45f78be2b6faedff0a29b976e

                                                                                  SHA512

                                                                                  d9306e10cc5a1689362434dac49b670e518c70c29f57b83c2eab4f7a69202c858b7f348c58d9af054ffc1b1643a071f8e4f8d1e4d0a9fa037851a2d46ab62269

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                  Filesize

                                                                                  24KB

                                                                                  MD5

                                                                                  25ac77f8c7c7b76b93c8346e41b89a95

                                                                                  SHA1

                                                                                  5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

                                                                                  SHA256

                                                                                  8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

                                                                                  SHA512

                                                                                  df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                  Filesize

                                                                                  872B

                                                                                  MD5

                                                                                  72677668d785c7164871fb8864544e87

                                                                                  SHA1

                                                                                  7fcef0c409abd06851aaba1e3030a2ac45d385ef

                                                                                  SHA256

                                                                                  5b3fef350b201bc7c1448d52641f556a46f4e9637f51aa9928dc232ca2fe8d08

                                                                                  SHA512

                                                                                  d9191951ea464e039c9feb7590dcf1409441ebd21e182176d8ecfa7189d192bc6199d916d3b48efd709cdfd880d1a3c3538533e68d00192a79955a1f14f3d6c4

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                  Filesize

                                                                                  872B

                                                                                  MD5

                                                                                  16f383440b9ac70b9490f3847e8829e7

                                                                                  SHA1

                                                                                  bf85849f9b6394e38dbea6909f5e855de23e2bad

                                                                                  SHA256

                                                                                  c59143318d0fc167bab03793f357fafb1dd13d35af0dc089e2d855ad1195932c

                                                                                  SHA512

                                                                                  11f6cc62a83135921f243194d44922858c442d4b7fe6df8ad454f922d0ad66da9fdc43b4ff7b712d7feb522fe7719edbe40b317ebafdef37b51ffb06952e2eed

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589bed.TMP

                                                                                  Filesize

                                                                                  872B

                                                                                  MD5

                                                                                  8da6559fde856597a342b104ccf37271

                                                                                  SHA1

                                                                                  e41752bb11fafaa54f286da5bac901ae8816455f

                                                                                  SHA256

                                                                                  1aa4b2c8977d500f0c5c13cf61bf55966894e38d77845aa2da7b54db2bf3b453

                                                                                  SHA512

                                                                                  3432d55cc345d040d090f5f7a7bed08a2ada1aa4c6227ca8bbe82b8fde3b0d7ad6e8c26ee51d167deb0a8973b60b5f55a9c39b5f8f9f58de4e38d4bd42474f6b

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                  Filesize

                                                                                  16B

                                                                                  MD5

                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                  SHA1

                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                  SHA256

                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                  SHA512

                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                  Filesize

                                                                                  10KB

                                                                                  MD5

                                                                                  f95d0ffbf6dab4d181c140b97223a8b7

                                                                                  SHA1

                                                                                  9e85dcb0727ff6b63e2326ee45f40b79b25c4491

                                                                                  SHA256

                                                                                  ea4cdf1160beb4a3844a8db2c076ec047370f27c8bae7d4778aaec20a1f42ed8

                                                                                  SHA512

                                                                                  0e3eb1593d2c3ce06613192c136d2f66d859ba358587a63219b7a74dab66a9072ebb6dc2acbec2851836c87ee22081c2430eb0e514116f6c16e6d069cb6014dd

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  bc2833b4505ae39efca48d9bdbddace0

                                                                                  SHA1

                                                                                  0741d41e4a2e7507592c504780f96033d6fa870d

                                                                                  SHA256

                                                                                  fb977e299ebe0369c1056a5fa313aee4f9ab7ca391422769f0ab04152ad4ae42

                                                                                  SHA512

                                                                                  e5d86175d05f3a508439fa61efa74cd60bfed22204e55ece57782d880dc5995cf9bb72190dcb651cbbbe3d7f34529efe70852b122d01e80d4aab450e1cce37d2

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  bc2833b4505ae39efca48d9bdbddace0

                                                                                  SHA1

                                                                                  0741d41e4a2e7507592c504780f96033d6fa870d

                                                                                  SHA256

                                                                                  fb977e299ebe0369c1056a5fa313aee4f9ab7ca391422769f0ab04152ad4ae42

                                                                                  SHA512

                                                                                  e5d86175d05f3a508439fa61efa74cd60bfed22204e55ece57782d880dc5995cf9bb72190dcb651cbbbe3d7f34529efe70852b122d01e80d4aab450e1cce37d2

                                                                                • C:\Users\Admin\AppData\Local\Temp\EA9E.tmp\EA9F.tmp\EAA0.bat

                                                                                  Filesize

                                                                                  90B

                                                                                  MD5

                                                                                  5a115a88ca30a9f57fdbb545490c2043

                                                                                  SHA1

                                                                                  67e90f37fc4c1ada2745052c612818588a5595f4

                                                                                  SHA256

                                                                                  52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

                                                                                  SHA512

                                                                                  17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe

                                                                                  Filesize

                                                                                  90KB

                                                                                  MD5

                                                                                  3969336f99d24315cf07fc46339fbd1c

                                                                                  SHA1

                                                                                  0b62ff9769efc493b61d697e35b0c161a4178834

                                                                                  SHA256

                                                                                  7552e87abcd327e1285df5e900170fce707ebe747e4c2710dc3407eada3636b1

                                                                                  SHA512

                                                                                  fdcebd2310058928b2ffc584a5198e62039d263c4c47b46c2e724a7c2379d51d462d1dd381e1c83c95e39153cee2c3336c2b52eb533896f819b2fec9b16c9eab

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe

                                                                                  Filesize

                                                                                  90KB

                                                                                  MD5

                                                                                  3969336f99d24315cf07fc46339fbd1c

                                                                                  SHA1

                                                                                  0b62ff9769efc493b61d697e35b0c161a4178834

                                                                                  SHA256

                                                                                  7552e87abcd327e1285df5e900170fce707ebe747e4c2710dc3407eada3636b1

                                                                                  SHA512

                                                                                  fdcebd2310058928b2ffc584a5198e62039d263c4c47b46c2e724a7c2379d51d462d1dd381e1c83c95e39153cee2c3336c2b52eb533896f819b2fec9b16c9eab

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe

                                                                                  Filesize

                                                                                  1.3MB

                                                                                  MD5

                                                                                  6625c1642b2e8b8bc9d1d04b8cf2de80

                                                                                  SHA1

                                                                                  2b34ca2ff31c4b26352aba284053b9c9f5fbfc0b

                                                                                  SHA256

                                                                                  5881fbc7919fa0608449c1dcc115aaf06e45aa171afe4e7e8f7cb2c0b0607a6e

                                                                                  SHA512

                                                                                  351aff42be816890d604578803b7078e9e49dc38816d772606f34752beaa0c753499bf32043d4e09d8dbbd87fb3a69c65d37f687c8ecbed518e49a38749558ab

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe

                                                                                  Filesize

                                                                                  1.3MB

                                                                                  MD5

                                                                                  6625c1642b2e8b8bc9d1d04b8cf2de80

                                                                                  SHA1

                                                                                  2b34ca2ff31c4b26352aba284053b9c9f5fbfc0b

                                                                                  SHA256

                                                                                  5881fbc7919fa0608449c1dcc115aaf06e45aa171afe4e7e8f7cb2c0b0607a6e

                                                                                  SHA512

                                                                                  351aff42be816890d604578803b7078e9e49dc38816d772606f34752beaa0c753499bf32043d4e09d8dbbd87fb3a69c65d37f687c8ecbed518e49a38749558ab

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe

                                                                                  Filesize

                                                                                  1.1MB

                                                                                  MD5

                                                                                  18165959afa2070cb2cd6caaa7372992

                                                                                  SHA1

                                                                                  9fcbac0253a9db09c538ae845d2909432cb16eca

                                                                                  SHA256

                                                                                  6d3d215a0cb5fc7f5cd40caa266bed5986b078e08f604d6c527d67dd0adf6a9b

                                                                                  SHA512

                                                                                  2875afebac74dd6e5a3fcadb7228daf9241bf45ce7ed24e639f151e08ef7ec099eca486ae8bc9a7d4e9e0ac02e4f4040439128b7d2ac97948cc327916dc0d370

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe

                                                                                  Filesize

                                                                                  1.1MB

                                                                                  MD5

                                                                                  18165959afa2070cb2cd6caaa7372992

                                                                                  SHA1

                                                                                  9fcbac0253a9db09c538ae845d2909432cb16eca

                                                                                  SHA256

                                                                                  6d3d215a0cb5fc7f5cd40caa266bed5986b078e08f604d6c527d67dd0adf6a9b

                                                                                  SHA512

                                                                                  2875afebac74dd6e5a3fcadb7228daf9241bf45ce7ed24e639f151e08ef7ec099eca486ae8bc9a7d4e9e0ac02e4f4040439128b7d2ac97948cc327916dc0d370

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe

                                                                                  Filesize

                                                                                  920KB

                                                                                  MD5

                                                                                  01dfaae2bf92a4e84f2ff793d710331a

                                                                                  SHA1

                                                                                  715508dfb740e52dcad6aabcbe86c402ac922722

                                                                                  SHA256

                                                                                  1186720b7a3c5c94abce7a6350a0437051c7bf9cdeef347d69407f42816c7133

                                                                                  SHA512

                                                                                  34288428f20f39daf3b1394152c187ca79c932fb4115b43ec5536fd70c5ba87469f0c40aacd5bd7dc3f20cd1650b030f7505bd1fd8648a2d671103cf31deb3ea

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe

                                                                                  Filesize

                                                                                  920KB

                                                                                  MD5

                                                                                  01dfaae2bf92a4e84f2ff793d710331a

                                                                                  SHA1

                                                                                  715508dfb740e52dcad6aabcbe86c402ac922722

                                                                                  SHA256

                                                                                  1186720b7a3c5c94abce7a6350a0437051c7bf9cdeef347d69407f42816c7133

                                                                                  SHA512

                                                                                  34288428f20f39daf3b1394152c187ca79c932fb4115b43ec5536fd70c5ba87469f0c40aacd5bd7dc3f20cd1650b030f7505bd1fd8648a2d671103cf31deb3ea

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe

                                                                                  Filesize

                                                                                  1.5MB

                                                                                  MD5

                                                                                  17be0273d4664a3091fd2c278c98f1c9

                                                                                  SHA1

                                                                                  565420c2490eb058096d2155d347c469004a150b

                                                                                  SHA256

                                                                                  9de280b82bbf600aa63280b73b507e315c3f641e14b5da47bd113f1d0c923c4a

                                                                                  SHA512

                                                                                  0821123eec77914e1e3afb149878f049262ac3a2e97ca4152482de66df3f651bfca72e2f0218f6dfed5afa37a8828bd3ef1a67d107d2bf6448cc64ad157e8023

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe

                                                                                  Filesize

                                                                                  1.5MB

                                                                                  MD5

                                                                                  17be0273d4664a3091fd2c278c98f1c9

                                                                                  SHA1

                                                                                  565420c2490eb058096d2155d347c469004a150b

                                                                                  SHA256

                                                                                  9de280b82bbf600aa63280b73b507e315c3f641e14b5da47bd113f1d0c923c4a

                                                                                  SHA512

                                                                                  0821123eec77914e1e3afb149878f049262ac3a2e97ca4152482de66df3f651bfca72e2f0218f6dfed5afa37a8828bd3ef1a67d107d2bf6448cc64ad157e8023

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe

                                                                                  Filesize

                                                                                  484KB

                                                                                  MD5

                                                                                  1007173b5ab2cb724aaa101c3ebf9e8e

                                                                                  SHA1

                                                                                  20a2fcd834ed988dffe164716d4b0be3640cd41b

                                                                                  SHA256

                                                                                  f34b9a354179a91e73124161202366ac71d8be0a56e073e01a713048c0306297

                                                                                  SHA512

                                                                                  aeec6beb30ddfbdf287b6628ab7764ab563fb8aac181f249405bfd40ae9c1587c085e865089b9ed628f11e682153880b063ba216b4a293a300fe77aea2ad4f01

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe

                                                                                  Filesize

                                                                                  484KB

                                                                                  MD5

                                                                                  1007173b5ab2cb724aaa101c3ebf9e8e

                                                                                  SHA1

                                                                                  20a2fcd834ed988dffe164716d4b0be3640cd41b

                                                                                  SHA256

                                                                                  f34b9a354179a91e73124161202366ac71d8be0a56e073e01a713048c0306297

                                                                                  SHA512

                                                                                  aeec6beb30ddfbdf287b6628ab7764ab563fb8aac181f249405bfd40ae9c1587c085e865089b9ed628f11e682153880b063ba216b4a293a300fe77aea2ad4f01

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe

                                                                                  Filesize

                                                                                  12KB

                                                                                  MD5

                                                                                  7d3e9519d040ef486f916d2fd0e1e575

                                                                                  SHA1

                                                                                  c4fbdb2d2dd539d89c884c527fb9b563576eb255

                                                                                  SHA256

                                                                                  a9009400a38edb155dceb082d00494c18d7743c8f4f7520e96ce164121b96c6e

                                                                                  SHA512

                                                                                  b8630e07c85e73e8024d2d2703ab88f83f685a3d4afcc837792aa69515b780570dff886f77f7e305d324e96be9ae009f3cb8a26678042d5494093281f4e7790c

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe

                                                                                  Filesize

                                                                                  12KB

                                                                                  MD5

                                                                                  7d3e9519d040ef486f916d2fd0e1e575

                                                                                  SHA1

                                                                                  c4fbdb2d2dd539d89c884c527fb9b563576eb255

                                                                                  SHA256

                                                                                  a9009400a38edb155dceb082d00494c18d7743c8f4f7520e96ce164121b96c6e

                                                                                  SHA512

                                                                                  b8630e07c85e73e8024d2d2703ab88f83f685a3d4afcc837792aa69515b780570dff886f77f7e305d324e96be9ae009f3cb8a26678042d5494093281f4e7790c

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe

                                                                                  Filesize

                                                                                  1.4MB

                                                                                  MD5

                                                                                  dff3675777834901577451dc381fded7

                                                                                  SHA1

                                                                                  69f3380649846dd90d9d535179c3e727eeae773c

                                                                                  SHA256

                                                                                  f4d718259b7f4af46ded5dfee7109a212ecaace13a76b915a7835f85aab2065c

                                                                                  SHA512

                                                                                  76179d864dcdb0bf54fbd3087b33c6ede20a072fe974fe75ae4910edfab36c26355a9ca00b131b6b3f9147bc2b6ae013aefe5ce2aa1cf66f70b6135a24745617

                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe

                                                                                  Filesize

                                                                                  1.4MB

                                                                                  MD5

                                                                                  dff3675777834901577451dc381fded7

                                                                                  SHA1

                                                                                  69f3380649846dd90d9d535179c3e727eeae773c

                                                                                  SHA256

                                                                                  f4d718259b7f4af46ded5dfee7109a212ecaace13a76b915a7835f85aab2065c

                                                                                  SHA512

                                                                                  76179d864dcdb0bf54fbd3087b33c6ede20a072fe974fe75ae4910edfab36c26355a9ca00b131b6b3f9147bc2b6ae013aefe5ce2aa1cf66f70b6135a24745617

                                                                                • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  a427281ec99595c2a977a70e0009a30c

                                                                                  SHA1

                                                                                  c937c5d14127921f068a081bb3e8f450c9966852

                                                                                  SHA256

                                                                                  40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                  SHA512

                                                                                  2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                  Filesize

                                                                                  219KB

                                                                                  MD5

                                                                                  4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                  SHA1

                                                                                  ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                  SHA256

                                                                                  08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                  SHA512

                                                                                  ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                                • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                  Filesize

                                                                                  89KB

                                                                                  MD5

                                                                                  e913b0d252d36f7c9b71268df4f634fb

                                                                                  SHA1

                                                                                  5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                  SHA256

                                                                                  4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                  SHA512

                                                                                  3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                                • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                  Filesize

                                                                                  89KB

                                                                                  MD5

                                                                                  e913b0d252d36f7c9b71268df4f634fb

                                                                                  SHA1

                                                                                  5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                  SHA256

                                                                                  4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                  SHA512

                                                                                  3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                                • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                  Filesize

                                                                                  89KB

                                                                                  MD5

                                                                                  e913b0d252d36f7c9b71268df4f634fb

                                                                                  SHA1

                                                                                  5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                  SHA256

                                                                                  4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                  SHA512

                                                                                  3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                                • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                                                                                  Filesize

                                                                                  273B

                                                                                  MD5

                                                                                  a5b509a3fb95cc3c8d89cd39fc2a30fb

                                                                                  SHA1

                                                                                  5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

                                                                                  SHA256

                                                                                  5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

                                                                                  SHA512

                                                                                  3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

                                                                                • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                  Filesize

                                                                                  89KB

                                                                                  MD5

                                                                                  ec41f740797d2253dc1902e71941bbdb

                                                                                  SHA1

                                                                                  407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                  SHA256

                                                                                  47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                  SHA512

                                                                                  e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                                • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                  Filesize

                                                                                  89KB

                                                                                  MD5

                                                                                  ec41f740797d2253dc1902e71941bbdb

                                                                                  SHA1

                                                                                  407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                  SHA256

                                                                                  47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                  SHA512

                                                                                  e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                                • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                  Filesize

                                                                                  89KB

                                                                                  MD5

                                                                                  ec41f740797d2253dc1902e71941bbdb

                                                                                  SHA1

                                                                                  407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                  SHA256

                                                                                  47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                  SHA512

                                                                                  e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                                • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                                                                                  Filesize

                                                                                  273B

                                                                                  MD5

                                                                                  6d5040418450624fef735b49ec6bffe9

                                                                                  SHA1

                                                                                  5fff6a1a620a5c4522aead8dbd0a5a52570e8773

                                                                                  SHA256

                                                                                  dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

                                                                                  SHA512

                                                                                  bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

                                                                                • memory/2940-42-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                  Filesize

                                                                                  160KB

                                                                                • memory/2940-43-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                  Filesize

                                                                                  160KB

                                                                                • memory/2940-44-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                  Filesize

                                                                                  160KB

                                                                                • memory/2940-46-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                  Filesize

                                                                                  160KB

                                                                                • memory/3580-38-0x00007FFA5CC90000-0x00007FFA5D751000-memory.dmp

                                                                                  Filesize

                                                                                  10.8MB

                                                                                • memory/3580-36-0x00007FFA5CC90000-0x00007FFA5D751000-memory.dmp

                                                                                  Filesize

                                                                                  10.8MB

                                                                                • memory/3580-35-0x0000000000580000-0x000000000058A000-memory.dmp

                                                                                  Filesize

                                                                                  40KB

                                                                                • memory/4224-59-0x0000000004E60000-0x0000000004E70000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                • memory/4224-244-0x0000000004E60000-0x0000000004E70000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                • memory/4224-241-0x0000000073F80000-0x0000000074730000-memory.dmp

                                                                                  Filesize

                                                                                  7.7MB

                                                                                • memory/4224-50-0x0000000000400000-0x000000000043E000-memory.dmp

                                                                                  Filesize

                                                                                  248KB

                                                                                • memory/4224-51-0x0000000073F80000-0x0000000074730000-memory.dmp

                                                                                  Filesize

                                                                                  7.7MB

                                                                                • memory/4224-52-0x0000000007840000-0x0000000007DE4000-memory.dmp

                                                                                  Filesize

                                                                                  5.6MB

                                                                                • memory/4224-56-0x0000000007290000-0x0000000007322000-memory.dmp

                                                                                  Filesize

                                                                                  584KB

                                                                                • memory/4224-60-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

                                                                                  Filesize

                                                                                  40KB

                                                                                • memory/4224-84-0x0000000007540000-0x000000000758C000-memory.dmp

                                                                                  Filesize

                                                                                  304KB

                                                                                • memory/4224-79-0x00000000073A0000-0x00000000073B2000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/4224-83-0x0000000007500000-0x000000000753C000-memory.dmp

                                                                                  Filesize

                                                                                  240KB

                                                                                • memory/4224-74-0x0000000007610000-0x000000000771A000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/4224-73-0x0000000008410000-0x0000000008A28000-memory.dmp

                                                                                  Filesize

                                                                                  6.1MB