Analysis

  • max time kernel
    167s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2023, 21:02

General

  • Target

    a7dc0fcb08e8a94f5aed844178224ed5869f77122108fbd998ff73f9ea45c592.exe

  • Size

    1.2MB

  • MD5

    680755e37b436324d2dc5a58eee8dfe0

  • SHA1

    b72b9c916868b8992729d07bc4f5eff56a395a29

  • SHA256

    a7dc0fcb08e8a94f5aed844178224ed5869f77122108fbd998ff73f9ea45c592

  • SHA512

    a1afd7eb1aa3bd071f15f182c116fcdf8c67affcba329f8bc8e5305933ab00066c110a44a26c88998efb3eea3f154b46000390a87631ee09bf7ede95d15238f6

  • SSDEEP

    24576:WyaFX9VQyKOClEaNrpOTR6Ll1kGg7cjOOdlQ31kwdGfTI6G0dXJP1:lEKyJCeaNtOTR2u7cjzXOkiGfQ6

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7dc0fcb08e8a94f5aed844178224ed5869f77122108fbd998ff73f9ea45c592.exe
    "C:\Users\Admin\AppData\Local\Temp\a7dc0fcb08e8a94f5aed844178224ed5869f77122108fbd998ff73f9ea45c592.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XV8FY92.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XV8FY92.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ep2hL91.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ep2hL91.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS7bn17.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS7bn17.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4148
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ya0OW06.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ya0OW06.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3936
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kE90Pp5.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kE90Pp5.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3244
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KH19Fl.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KH19Fl.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1892
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:4192
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 540
                    8⤵
                    • Program crash
                    PID:1244
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 156
                  7⤵
                  • Program crash
                  PID:4472
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3GL6490.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3GL6490.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4320
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:4952
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 156
                  6⤵
                  • Program crash
                  PID:3136
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4RK425BI.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4RK425BI.exe
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:5060
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2116
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:1332
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    7⤵
                      PID:896
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "explothe.exe" /P "Admin:N"
                      7⤵
                        PID:4568
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "explothe.exe" /P "Admin:R" /E
                        7⤵
                          PID:3264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          7⤵
                            PID:504
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\fefffe8cea" /P "Admin:N"
                            7⤵
                              PID:572
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "..\fefffe8cea" /P "Admin:R" /E
                              7⤵
                                PID:3724
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                              6⤵
                              • Loads dropped DLL
                              PID:1696
                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5jJ8Rl9.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5jJ8Rl9.exe
                        3⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3524
                        • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                          "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
                          4⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:4964
                          • C:\Windows\SysWOW64\schtasks.exe
                            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
                            5⤵
                            • Creates scheduled task(s)
                            PID:1648
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
                            5⤵
                              PID:608
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                6⤵
                                  PID:2616
                                • C:\Windows\SysWOW64\cacls.exe
                                  CACLS "legota.exe" /P "Admin:N"
                                  6⤵
                                    PID:2644
                                  • C:\Windows\SysWOW64\cacls.exe
                                    CACLS "legota.exe" /P "Admin:R" /E
                                    6⤵
                                      PID:2576
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      6⤵
                                        PID:912
                                      • C:\Windows\SysWOW64\cacls.exe
                                        CACLS "..\cb378487cf" /P "Admin:N"
                                        6⤵
                                          PID:4240
                                        • C:\Windows\SysWOW64\cacls.exe
                                          CACLS "..\cb378487cf" /P "Admin:R" /E
                                          6⤵
                                            PID:948
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                          5⤵
                                          • Loads dropped DLL
                                          PID:1828
                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6tT5rY91.exe
                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6tT5rY91.exe
                                    2⤵
                                    • Executes dropped EXE
                                    PID:2652
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9EEB.tmp\9EEC.tmp\9EED.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6tT5rY91.exe"
                                      3⤵
                                        PID:1464
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
                                          4⤵
                                            PID:2812
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffb933746f8,0x7ffb93374708,0x7ffb93374718
                                              5⤵
                                                PID:3184
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7284207343622144448,14696606965272990753,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
                                                5⤵
                                                  PID:5060
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7284207343622144448,14696606965272990753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                                                  5⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2784
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                4⤵
                                                • Enumerates system info in registry
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:3132
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb933746f8,0x7ffb93374708,0x7ffb93374718
                                                  5⤵
                                                    PID:1392
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:1780
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
                                                    5⤵
                                                      PID:1116
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
                                                      5⤵
                                                        PID:1808
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                                                        5⤵
                                                          PID:5112
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
                                                          5⤵
                                                            PID:4528
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
                                                            5⤵
                                                              PID:2932
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
                                                              5⤵
                                                                PID:3436
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                                                                5⤵
                                                                  PID:3280
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 /prefetch:8
                                                                  5⤵
                                                                    PID:4320
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 /prefetch:8
                                                                    5⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2628
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                                                                    5⤵
                                                                      PID:3380
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12130688788509362070,5174846019011825241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
                                                                      5⤵
                                                                        PID:4572
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1892 -ip 1892
                                                                1⤵
                                                                  PID:1788
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4192 -ip 4192
                                                                  1⤵
                                                                    PID:3640
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4320 -ip 4320
                                                                    1⤵
                                                                      PID:2588
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:1656
                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                        1⤵
                                                                          PID:3760
                                                                        • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          PID:3408
                                                                        • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          PID:4380

                                                                        Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                c126b33f65b7fc4ece66e42d6802b02e

                                                                                SHA1

                                                                                2a169a1c15e5d3dab708344661ec04d7339bcb58

                                                                                SHA256

                                                                                ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8

                                                                                SHA512

                                                                                eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                db9dbef3f8b1f616429f605c1ebca2f0

                                                                                SHA1

                                                                                ffba76f0836c024828d4ff1982cc4240c41a8f16

                                                                                SHA256

                                                                                3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

                                                                                SHA512

                                                                                4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                db9dbef3f8b1f616429f605c1ebca2f0

                                                                                SHA1

                                                                                ffba76f0836c024828d4ff1982cc4240c41a8f16

                                                                                SHA256

                                                                                3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

                                                                                SHA512

                                                                                4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                db9dbef3f8b1f616429f605c1ebca2f0

                                                                                SHA1

                                                                                ffba76f0836c024828d4ff1982cc4240c41a8f16

                                                                                SHA256

                                                                                3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

                                                                                SHA512

                                                                                4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                db9dbef3f8b1f616429f605c1ebca2f0

                                                                                SHA1

                                                                                ffba76f0836c024828d4ff1982cc4240c41a8f16

                                                                                SHA256

                                                                                3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

                                                                                SHA512

                                                                                4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                db9dbef3f8b1f616429f605c1ebca2f0

                                                                                SHA1

                                                                                ffba76f0836c024828d4ff1982cc4240c41a8f16

                                                                                SHA256

                                                                                3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

                                                                                SHA512

                                                                                4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                e21e87c0f101045f8476971adb475957

                                                                                SHA1

                                                                                c0efd46ccc6bd7bd0c46cf1c904d996242f21930

                                                                                SHA256

                                                                                150b331c1538177e9ef7bae9a90c82e39b935bb73f6b1631a6301821b898b4de

                                                                                SHA512

                                                                                b8b7f2518ccc067140333f4df2e2182a5db322ba7893de118ec922f894f591abc41d8d7325fa32a4b18f75f6b881d695f802a3138b2358ea2450f1b2c5de9c63

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                Filesize

                                                                                111B

                                                                                MD5

                                                                                285252a2f6327d41eab203dc2f402c67

                                                                                SHA1

                                                                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                SHA256

                                                                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                SHA512

                                                                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                c0ec1c8ac729502fe697ef5691d366ac

                                                                                SHA1

                                                                                d73e798868efa3e0dd96b0cb9bdb8b12497e99d4

                                                                                SHA256

                                                                                f921fc1d12c3ee1fdd04888ed5813abdf71e2c69e091f1766b7fddedb62c6669

                                                                                SHA512

                                                                                6a229465b23613555a07b7e2b11446f23ac1ab53ade7d1ed9ac65dbab26d8ec1ef5f91e733e0f8136c95011c6b6764894d52c9f1575db1f0fa5ff55969d5c98c

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                Filesize

                                                                                6KB

                                                                                MD5

                                                                                5126bf8ccc04d4a079a128f1d9590147

                                                                                SHA1

                                                                                73188e2cc473d820979c816a388ec209bc2d3824

                                                                                SHA256

                                                                                458601ea29329487b6d9c11986c6acf3862e33f06e9c1bee449443b6d515f8c1

                                                                                SHA512

                                                                                811802b631b061d720dfbe39d09152efc4a61e35fa12b8333d6934156ffb18381526c6992573cc29d80f079b680c89f63993a7f8bff69a34c50257304c0662dc

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                Filesize

                                                                                5KB

                                                                                MD5

                                                                                3242dc2daf6d7ae3bea8f7177c6dcc31

                                                                                SHA1

                                                                                a39850cc4cf144f2466965e9c64179cf02528cd8

                                                                                SHA256

                                                                                d0f8ba0630e1577efd26a1f55f127b963815f0217286e8bca14e60fb5f2b313c

                                                                                SHA512

                                                                                ccfa6bfd1843cc8b1481e65fa8a0bf86da7720a29893f69b55b009574ab7d6f8c86a844b19daac1f9b31ee61dc11246eb319d9eee02af9cf134be31e62dbf253

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                Filesize

                                                                                24KB

                                                                                MD5

                                                                                6dcb90ba1ba8e06c1d4f27ec78f6911a

                                                                                SHA1

                                                                                71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

                                                                                SHA256

                                                                                30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

                                                                                SHA512

                                                                                dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                Filesize

                                                                                872B

                                                                                MD5

                                                                                3972189eab6cfaa9fc5ef0f6f6784df8

                                                                                SHA1

                                                                                39ce2efd895e77ad51f0e0ce31f0e318b5e8ff00

                                                                                SHA256

                                                                                a01839f3960fa9935cfb699472739a766768656d10e3e0bcfcaeb520339a0734

                                                                                SHA512

                                                                                928ade8434379058e782e7231b46d5e6a9b4454dbfb1b0f5c1c651ab4e6d78418a1f9178ff0892d674e28ed0986b919c4b4f56ce8fde4c41699f0d03e6f6aa0d

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                Filesize

                                                                                872B

                                                                                MD5

                                                                                f9354ff8a1f5f1f41adda1774260bdd2

                                                                                SHA1

                                                                                cbfdda4bad5a333a275fad6d53a9bb77319b052f

                                                                                SHA256

                                                                                4c09a45a96a5896fd1ae2411b6392cb4ba11a497eef2433f68b3c11e69b142e5

                                                                                SHA512

                                                                                95296d45a0fc4ff5b56493ecd531014ad14bdee0fbf29bd753b02b27871c94a7002eb7cac20ed26649a6f9eea1dd5fe019407fd8f86d202aaf236b83834a09bf

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                Filesize

                                                                                872B

                                                                                MD5

                                                                                9ebcb43f6eef63bec70277a4275d2800

                                                                                SHA1

                                                                                48a8012d33a86bf3a9c719fe9a9b48a6afba7e01

                                                                                SHA256

                                                                                45b82b1bf0811603d5e09fcc41bef91839e33bfbd501680baf056a8e762b1910

                                                                                SHA512

                                                                                ca0e12ab81993db9809c0abefdf7a542e1bbfcf83cc31d77ef64e9710f6a08b05d63a054e226d6841a8064a1430e5bc42d38fd09a13f08dd1be770e8a4bbeada

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59166c.TMP

                                                                                Filesize

                                                                                872B

                                                                                MD5

                                                                                1fb51ece20cbb07dc4b35961ab586aac

                                                                                SHA1

                                                                                13e2793a6043b3fa713a153595e4d254e6f76159

                                                                                SHA256

                                                                                2043ed12e6d0e24095e0b29298be955cc26afdea72b842b0936a938348b93f3b

                                                                                SHA512

                                                                                6657cbb5bd8df62c6e42b6887be15e13fede3d8e3ac16b090971e8ab8927a364bd50db500ed6a295bf41545a9a63b080941ba1974ddf32c5250011f3366b4519

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                Filesize

                                                                                16B

                                                                                MD5

                                                                                6752a1d65b201c13b62ea44016eb221f

                                                                                SHA1

                                                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                SHA256

                                                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                SHA512

                                                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                a4c84941edb4449e14ce05b14690b53e

                                                                                SHA1

                                                                                c430d3b3e748eb4d83c301bb6d3cc6d2f77cdd7e

                                                                                SHA256

                                                                                6ffe8179a361fb9ef8b85652bc9d2cebb16dfccbffcda9f9a03b970d3b7c7724

                                                                                SHA512

                                                                                f8943d7fec139b1bb5f831348ec96d0aa6d447d581f269ac1f4f911fb33830a8d90da7d0616ff9da4fe8c0b45d0b09d17163576f71971a894b182f1e27ee1ed4

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                Filesize

                                                                                10KB

                                                                                MD5

                                                                                8510283f3294cd4ed886a98de54719fe

                                                                                SHA1

                                                                                4912a608d28564b7087fb8bf67401d5e0cb73b83

                                                                                SHA256

                                                                                eb40468be9c4a7ab103e2ba28d071fe48c218b1480ebafb0d419d056cf63529c

                                                                                SHA512

                                                                                865d5f037443f38d0b00a49668fd22c0ed78829ee0dac092553778ff50d1517abcf40366fded176eefe7db251af7c7fee6bd32ea20069c32ab731d12efa2d1b4

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                a4c84941edb4449e14ce05b14690b53e

                                                                                SHA1

                                                                                c430d3b3e748eb4d83c301bb6d3cc6d2f77cdd7e

                                                                                SHA256

                                                                                6ffe8179a361fb9ef8b85652bc9d2cebb16dfccbffcda9f9a03b970d3b7c7724

                                                                                SHA512

                                                                                f8943d7fec139b1bb5f831348ec96d0aa6d447d581f269ac1f4f911fb33830a8d90da7d0616ff9da4fe8c0b45d0b09d17163576f71971a894b182f1e27ee1ed4

                                                                              • C:\Users\Admin\AppData\Local\Temp\9EEB.tmp\9EEC.tmp\9EED.bat

                                                                                Filesize

                                                                                90B

                                                                                MD5

                                                                                5a115a88ca30a9f57fdbb545490c2043

                                                                                SHA1

                                                                                67e90f37fc4c1ada2745052c612818588a5595f4

                                                                                SHA256

                                                                                52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

                                                                                SHA512

                                                                                17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6tT5rY91.exe

                                                                                Filesize

                                                                                100KB

                                                                                MD5

                                                                                8a607b0a71417401972b54320c72252d

                                                                                SHA1

                                                                                dffa8a8a0ec362da25c4844f658c0e82eebd9dba

                                                                                SHA256

                                                                                ed0cbfd37ffc24ccd7b2bf2a68cb96bcc28875329b0550ff58fa0a8ce9a22408

                                                                                SHA512

                                                                                7329b5c1c9c9811bc856a206e7229083573d423de0afadd6fead62b338c2c311e0e8a7e0bb991d2f56b8cb5bddb5100cb156e6995e0f53a94fce14b205f8a699

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6tT5rY91.exe

                                                                                Filesize

                                                                                100KB

                                                                                MD5

                                                                                8a607b0a71417401972b54320c72252d

                                                                                SHA1

                                                                                dffa8a8a0ec362da25c4844f658c0e82eebd9dba

                                                                                SHA256

                                                                                ed0cbfd37ffc24ccd7b2bf2a68cb96bcc28875329b0550ff58fa0a8ce9a22408

                                                                                SHA512

                                                                                7329b5c1c9c9811bc856a206e7229083573d423de0afadd6fead62b338c2c311e0e8a7e0bb991d2f56b8cb5bddb5100cb156e6995e0f53a94fce14b205f8a699

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XV8FY92.exe

                                                                                Filesize

                                                                                1.1MB

                                                                                MD5

                                                                                12afe9c4cc6212d11aa0446e2f31aaaf

                                                                                SHA1

                                                                                f9edd847e4324946f3cb08e8be8710e20b469ad2

                                                                                SHA256

                                                                                298f6c864e233d40e8a1613af6b3d672203874fe94ad441140fe0b53e9d94197

                                                                                SHA512

                                                                                98744dbc885b8c8ebb397153e27dda736aae8ca6f1f8cf0ddf231bdc93a201910ce7bb65f0eb304c1f0f20c52dbbe47ceaaa5c95d763d126b796d588bfd46813

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XV8FY92.exe

                                                                                Filesize

                                                                                1.1MB

                                                                                MD5

                                                                                12afe9c4cc6212d11aa0446e2f31aaaf

                                                                                SHA1

                                                                                f9edd847e4324946f3cb08e8be8710e20b469ad2

                                                                                SHA256

                                                                                298f6c864e233d40e8a1613af6b3d672203874fe94ad441140fe0b53e9d94197

                                                                                SHA512

                                                                                98744dbc885b8c8ebb397153e27dda736aae8ca6f1f8cf0ddf231bdc93a201910ce7bb65f0eb304c1f0f20c52dbbe47ceaaa5c95d763d126b796d588bfd46813

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5jJ8Rl9.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5jJ8Rl9.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ep2hL91.exe

                                                                                Filesize

                                                                                929KB

                                                                                MD5

                                                                                515a64a918455855b32e5465faf5a22c

                                                                                SHA1

                                                                                0f35f3bbcb440770b81f940011ce85a00faf3b3d

                                                                                SHA256

                                                                                2f4ac48edf33f0c9202b40cc9395aa8a0ec2b286e4abb108357b20c0b519b304

                                                                                SHA512

                                                                                e2811af4d3f6541065bf975509e0c9fcf7f7c1e5245c2e7cbffcf1605bbbe7ee9f576aeb795afc354e49ddb84b8d4bdd60df20d67c39f50c0dc0dff62728e2c8

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ep2hL91.exe

                                                                                Filesize

                                                                                929KB

                                                                                MD5

                                                                                515a64a918455855b32e5465faf5a22c

                                                                                SHA1

                                                                                0f35f3bbcb440770b81f940011ce85a00faf3b3d

                                                                                SHA256

                                                                                2f4ac48edf33f0c9202b40cc9395aa8a0ec2b286e4abb108357b20c0b519b304

                                                                                SHA512

                                                                                e2811af4d3f6541065bf975509e0c9fcf7f7c1e5245c2e7cbffcf1605bbbe7ee9f576aeb795afc354e49ddb84b8d4bdd60df20d67c39f50c0dc0dff62728e2c8

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4RK425BI.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4RK425BI.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS7bn17.exe

                                                                                Filesize

                                                                                747KB

                                                                                MD5

                                                                                71e65eec8707a0faee05af47f8a37350

                                                                                SHA1

                                                                                46eedcbdb0ffb6ea9fb09d96b970d64d43cb229c

                                                                                SHA256

                                                                                37d90bba3b3d13fdeaf063d3d1e63d0b91f37ea0c0ed0615cc862ae2ba8dae59

                                                                                SHA512

                                                                                986d6e2fc4e096769416664853b4a7e2bc12b81b27e2be4aec1fe9577cadffdedb305892948de0f089cfdc877216403bea3a4f804becc63162b27e56b12af2ee

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS7bn17.exe

                                                                                Filesize

                                                                                747KB

                                                                                MD5

                                                                                71e65eec8707a0faee05af47f8a37350

                                                                                SHA1

                                                                                46eedcbdb0ffb6ea9fb09d96b970d64d43cb229c

                                                                                SHA256

                                                                                37d90bba3b3d13fdeaf063d3d1e63d0b91f37ea0c0ed0615cc862ae2ba8dae59

                                                                                SHA512

                                                                                986d6e2fc4e096769416664853b4a7e2bc12b81b27e2be4aec1fe9577cadffdedb305892948de0f089cfdc877216403bea3a4f804becc63162b27e56b12af2ee

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3GL6490.exe

                                                                                Filesize

                                                                                459KB

                                                                                MD5

                                                                                a056801b23fcbd9b5118e59911e03688

                                                                                SHA1

                                                                                960f571adbc2afe2a5e30d4db081fdd7367860e3

                                                                                SHA256

                                                                                237cbdfbb9826ab4b9a3a770b6a4af1d266d648c07c2ab77b3dcb88559521fe1

                                                                                SHA512

                                                                                15ea9e4365b7e3fbc2c33f7e8584d423de7866b2af055e6ed1c17c47a04d96672cf18d2aaef03ea7b873880ebb11815bdac8488562a04cd753384342851409da

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3GL6490.exe

                                                                                Filesize

                                                                                459KB

                                                                                MD5

                                                                                a056801b23fcbd9b5118e59911e03688

                                                                                SHA1

                                                                                960f571adbc2afe2a5e30d4db081fdd7367860e3

                                                                                SHA256

                                                                                237cbdfbb9826ab4b9a3a770b6a4af1d266d648c07c2ab77b3dcb88559521fe1

                                                                                SHA512

                                                                                15ea9e4365b7e3fbc2c33f7e8584d423de7866b2af055e6ed1c17c47a04d96672cf18d2aaef03ea7b873880ebb11815bdac8488562a04cd753384342851409da

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ya0OW06.exe

                                                                                Filesize

                                                                                452KB

                                                                                MD5

                                                                                66f43ccc6980bd677c952947106939a7

                                                                                SHA1

                                                                                cb6d514d0fa4995e95f7ebd774900552c0d41982

                                                                                SHA256

                                                                                785f13ae44b66fabe08b477719ca0fc7627ffabee4dd0c23ecdfddc6f36f374b

                                                                                SHA512

                                                                                0873dcc57e92e2eb5c65096c6cedf1b4dff992a06440e3ec338651ae1537f20d914adb8bbc2dfeda2c80387edcd686bd82ae2b6ce152fb4b1988e39cb8ace662

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ya0OW06.exe

                                                                                Filesize

                                                                                452KB

                                                                                MD5

                                                                                66f43ccc6980bd677c952947106939a7

                                                                                SHA1

                                                                                cb6d514d0fa4995e95f7ebd774900552c0d41982

                                                                                SHA256

                                                                                785f13ae44b66fabe08b477719ca0fc7627ffabee4dd0c23ecdfddc6f36f374b

                                                                                SHA512

                                                                                0873dcc57e92e2eb5c65096c6cedf1b4dff992a06440e3ec338651ae1537f20d914adb8bbc2dfeda2c80387edcd686bd82ae2b6ce152fb4b1988e39cb8ace662

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kE90Pp5.exe

                                                                                Filesize

                                                                                192KB

                                                                                MD5

                                                                                8904f85abd522c7d0cb5789d9583ccff

                                                                                SHA1

                                                                                5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

                                                                                SHA256

                                                                                7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

                                                                                SHA512

                                                                                04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kE90Pp5.exe

                                                                                Filesize

                                                                                192KB

                                                                                MD5

                                                                                8904f85abd522c7d0cb5789d9583ccff

                                                                                SHA1

                                                                                5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

                                                                                SHA256

                                                                                7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

                                                                                SHA512

                                                                                04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KH19Fl.exe

                                                                                Filesize

                                                                                378KB

                                                                                MD5

                                                                                d859ff4578532e70d8d8745fc3343875

                                                                                SHA1

                                                                                ad023feca03469ae116137fffc644326eb767d83

                                                                                SHA256

                                                                                9f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049

                                                                                SHA512

                                                                                3a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2KH19Fl.exe

                                                                                Filesize

                                                                                378KB

                                                                                MD5

                                                                                d859ff4578532e70d8d8745fc3343875

                                                                                SHA1

                                                                                ad023feca03469ae116137fffc644326eb767d83

                                                                                SHA256

                                                                                9f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049

                                                                                SHA512

                                                                                3a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                a427281ec99595c2a977a70e0009a30c

                                                                                SHA1

                                                                                c937c5d14127921f068a081bb3e8f450c9966852

                                                                                SHA256

                                                                                40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

                                                                                SHA512

                                                                                2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                                                                                Filesize

                                                                                219KB

                                                                                MD5

                                                                                4bd59a6b3207f99fc3435baf3c22bc4e

                                                                                SHA1

                                                                                ae90587beed289f177f4143a8380ba27109d0a6f

                                                                                SHA256

                                                                                08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

                                                                                SHA512

                                                                                ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                e913b0d252d36f7c9b71268df4f634fb

                                                                                SHA1

                                                                                5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                SHA256

                                                                                4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                SHA512

                                                                                3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                e913b0d252d36f7c9b71268df4f634fb

                                                                                SHA1

                                                                                5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                SHA256

                                                                                4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                SHA512

                                                                                3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                e913b0d252d36f7c9b71268df4f634fb

                                                                                SHA1

                                                                                5ac70d8793712bcd8ede477071146bbb42d3f018

                                                                                SHA256

                                                                                4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

                                                                                SHA512

                                                                                3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

                                                                              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                                                                                Filesize

                                                                                273B

                                                                                MD5

                                                                                a5b509a3fb95cc3c8d89cd39fc2a30fb

                                                                                SHA1

                                                                                5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

                                                                                SHA256

                                                                                5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

                                                                                SHA512

                                                                                3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                ec41f740797d2253dc1902e71941bbdb

                                                                                SHA1

                                                                                407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                SHA256

                                                                                47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                SHA512

                                                                                e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                ec41f740797d2253dc1902e71941bbdb

                                                                                SHA1

                                                                                407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                SHA256

                                                                                47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                SHA512

                                                                                e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                Filesize

                                                                                89KB

                                                                                MD5

                                                                                ec41f740797d2253dc1902e71941bbdb

                                                                                SHA1

                                                                                407b75f07cb205fee94c4c6261641bd40c2c28e9

                                                                                SHA256

                                                                                47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

                                                                                SHA512

                                                                                e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

                                                                              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                                                                                Filesize

                                                                                273B

                                                                                MD5

                                                                                6d5040418450624fef735b49ec6bffe9

                                                                                SHA1

                                                                                5fff6a1a620a5c4522aead8dbd0a5a52570e8773

                                                                                SHA256

                                                                                dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

                                                                                SHA512

                                                                                bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

                                                                              • memory/3244-58-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-50-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-35-0x0000000073E50000-0x0000000074600000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/3244-36-0x0000000002430000-0x0000000002440000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/3244-37-0x0000000002410000-0x000000000242E000-memory.dmp

                                                                                Filesize

                                                                                120KB

                                                                              • memory/3244-38-0x0000000002430000-0x0000000002440000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/3244-39-0x0000000004A90000-0x0000000005034000-memory.dmp

                                                                                Filesize

                                                                                5.6MB

                                                                              • memory/3244-40-0x0000000005090000-0x00000000050AC000-memory.dmp

                                                                                Filesize

                                                                                112KB

                                                                              • memory/3244-41-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-42-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-48-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-46-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-44-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-52-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-54-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-74-0x0000000073E50000-0x0000000074600000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/3244-72-0x0000000002430000-0x0000000002440000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/3244-71-0x0000000002430000-0x0000000002440000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/3244-56-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-60-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-70-0x0000000002430000-0x0000000002440000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/3244-69-0x0000000073E50000-0x0000000074600000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/3244-68-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-66-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-64-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/3244-62-0x0000000005090000-0x00000000050A6000-memory.dmp

                                                                                Filesize

                                                                                88KB

                                                                              • memory/4192-80-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/4192-82-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/4192-78-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/4192-79-0x0000000000400000-0x0000000000428000-memory.dmp

                                                                                Filesize

                                                                                160KB

                                                                              • memory/4952-87-0x00000000739C0000-0x0000000074170000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/4952-112-0x00000000079E0000-0x00000000079F2000-memory.dmp

                                                                                Filesize

                                                                                72KB

                                                                              • memory/4952-193-0x00000000739C0000-0x0000000074170000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/4952-86-0x0000000000400000-0x000000000043E000-memory.dmp

                                                                                Filesize

                                                                                248KB

                                                                              • memory/4952-194-0x0000000007900000-0x0000000007910000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/4952-88-0x0000000007750000-0x00000000077E2000-memory.dmp

                                                                                Filesize

                                                                                584KB

                                                                              • memory/4952-94-0x0000000007900000-0x0000000007910000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/4952-96-0x0000000007910000-0x000000000791A000-memory.dmp

                                                                                Filesize

                                                                                40KB

                                                                              • memory/4952-121-0x0000000007A90000-0x0000000007ADC000-memory.dmp

                                                                                Filesize

                                                                                304KB

                                                                              • memory/4952-108-0x0000000008830000-0x0000000008E48000-memory.dmp

                                                                                Filesize

                                                                                6.1MB

                                                                              • memory/4952-109-0x0000000008210000-0x000000000831A000-memory.dmp

                                                                                Filesize

                                                                                1.0MB

                                                                              • memory/4952-118-0x0000000007A40000-0x0000000007A7C000-memory.dmp

                                                                                Filesize

                                                                                240KB