amadey | 00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073

Analysis

max time kernel
60s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
Size

1.8MB
MD5

bf2b428250d710cd9b61aeac205cebe5
SHA1

bf4e97656d6d7cf5f20590b4e1b0bbe7245a1bf1
SHA256

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073
SHA512

81a2b87e173f9ee1abf2f68c79611d47d88b74ef5b6a45693e17d67bbc6c1e9eeb360888eb2f2d1b51ef9640175ec00e4999b252899c9e8c1ac19e022962943a
SSDEEP

49152:aeECbWK0f/oLt/mJSm8E4CNmG4yPDAHGet:3KDylmJSjzCRP

Score

10^/10

amadey glupteba redline risepro stealc zgrat @oleh_psp jok123 livetraffic dropper evasion infostealer loader rat stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

Jok123

185.215.113.67:26260

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
behavioral1/memory/3112-49-0x0000000000ED0000-0x000000000108C000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_zgrat_v1
behavioral1/memory/4200-160-0x0000000000260000-0x00000000002E2000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe	family_zgrat_v1
behavioral1/memory/2520-180-0x0000000000590000-0x000000000060A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5796-1040-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5796-1046-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4904-1057-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5080-1103-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe	family_redline
behavioral1/memory/4416-91-0x0000000000DD0000-0x0000000000E22000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
behavioral1/memory/640-106-0x00000000007E0000-0x0000000000830000-memory.dmp	family_redline
behavioral1/memory/1764-133-0x00000000000C0000-0x000000000014C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline
behavioral1/memory/4200-160-0x0000000000260000-0x00000000002E2000-memory.dmp	family_redline
behavioral1/memory/4240-188-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Executes dropped EXE 1 IoCs

Processes:

explorgu.exe

pid process

2312 explorgu.exe

pid	process
2312	explorgu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorgu.exe00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Wine	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

82 pastebin.com
85 pastebin.com
151 pastebin.com

flow	ioc
82	pastebin.com
85	pastebin.com
151	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exeexplorgu.exe

pid process

2408 00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
2312 explorgu.exe
Drops file in Windows directory 1 IoCs

Processes:

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2580	212	WerFault.exe	swiiiii.exe
2604	3784	WerFault.exe	koooooo.exe
3044	4656	WerFault.exe	WsX11tzqSKr3VgEEUHTh7Hmp.exe
5860	5832	WerFault.exe	RegAsm.exe
5800	5832	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5028 schtasks.exe

pid	process
5028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exeexplorgu.exe

pid	process
2408	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
2408	00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
2312	explorgu.exe
2312	explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe
"C:\Users\Admin\AppData\Local\Temp\00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2312
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  PID:3112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4428
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:1764
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:888
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5996
- C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
  "C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
  2⤵
  PID:640
- C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
  "C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
  2⤵
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
  2⤵
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4240
- C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5028
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:1080
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:5116
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\831553292808_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:1404
- C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
  2⤵
  PID:212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 896
    3⤵
    - Program crash
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe
  "C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe"
  2⤵
  PID:3784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 852
    3⤵
    - Program crash
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe
  "C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe"
  2⤵
  PID:888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
    3⤵
    PID:2212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb39d946f8,0x7ffb39d94708,0x7ffb39d94718
      4⤵
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
      4⤵
      PID:5164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:5384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
      4⤵
      PID:5756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
      4⤵
      PID:6116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
      4⤵
      PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:2152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      PID:5300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      PID:3784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
      4⤵
      PID:888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12520978176584625082,1905958008479020226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
    3⤵
    PID:3912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb39d946f8,0x7ffb39d94708,0x7ffb39d94718
      4⤵
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5336112840297930534,18406894679043026234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
      4⤵
      PID:5244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5336112840297930534,18406894679043026234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
      4⤵
      PID:5320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:32
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb39d946f8,0x7ffb39d94708,0x7ffb39d94718
      4⤵
      PID:1016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,9394139442754144743,7353143072371776400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      PID:6000
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:5376
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:6064
- C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe"
  2⤵
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
  2⤵
  PID:5204
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:4736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:2956
  - - C:\Users\Admin\Pictures\WsX11tzqSKr3VgEEUHTh7Hmp.exe
      "C:\Users\Admin\Pictures\WsX11tzqSKr3VgEEUHTh7Hmp.exe"
      4⤵
      PID:4656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 652
        6⤵
        Program crash
        
        PID:5860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 660
        6⤵
        Program crash
        
        PID:5800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 884
        5⤵
        Program crash
        
        PID:3044
  - - C:\Users\Admin\Pictures\5sVLZFH7HbrE7WT35W4cvEB1.exe
      "C:\Users\Admin\Pictures\5sVLZFH7HbrE7WT35W4cvEB1.exe"
      4⤵
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\u1wo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1wo.0.exe"
        5⤵
        
        PID:5160
    - - C:\Users\Admin\AppData\Local\Temp\u1wo.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1wo.1.exe"
        5⤵
        
        PID:5372
  - - C:\Users\Admin\Pictures\h41cD4QeQu5RINklRcAha61D.exe
      "C:\Users\Admin\Pictures\h41cD4QeQu5RINklRcAha61D.exe"
      4⤵
      PID:5796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1616
    - - C:\Users\Admin\Pictures\h41cD4QeQu5RINklRcAha61D.exe
        
        "C:\Users\Admin\Pictures\h41cD4QeQu5RINklRcAha61D.exe"
        5⤵
        
        PID:5484
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3000
  - - C:\Users\Admin\Pictures\qNUzTdatuAQKQlagXbMvBhTl.exe
      "C:\Users\Admin\Pictures\qNUzTdatuAQKQlagXbMvBhTl.exe"
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3412
    - - C:\Users\Admin\Pictures\qNUzTdatuAQKQlagXbMvBhTl.exe
        
        "C:\Users\Admin\Pictures\qNUzTdatuAQKQlagXbMvBhTl.exe"
        5⤵
        
        PID:5964
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:532
  - - C:\Users\Admin\Pictures\KnXqC1P8l0TT2f5HgudRCb4s.exe
      "C:\Users\Admin\Pictures\KnXqC1P8l0TT2f5HgudRCb4s.exe"
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4084
    - - C:\Users\Admin\Pictures\KnXqC1P8l0TT2f5HgudRCb4s.exe
        
        "C:\Users\Admin\Pictures\KnXqC1P8l0TT2f5HgudRCb4s.exe"
        5⤵
        
        PID:5388
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4656
  - - C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe
      "C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe" --silent --allusers=0
      4⤵
      PID:5520
    - - C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe
        
        C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x278,0x29c,0x2a0,0x24c,0x2a4,0x6ea1e1d0,0x6ea1e1dc,0x6ea1e1e8
        5⤵
        
        PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oby4OFVlac2SOUyK92uNmF2X.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oby4OFVlac2SOUyK92uNmF2X.exe" --version
        5⤵
        
        PID:5188
    - - C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe
        
        "C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5520 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240401193240" --session-guid=fe139cec-7110-4971-8f1d-08148093e39b --server-tracking-blob=MzY4ZmIwYmQyMTYyOGIxZmNlNmFmODRhYTRlZjNlYWNjZWM4MmE2NWQxODAyMjNkNjMwNzVjNDA2YTIyMDZmYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE5OTk5NTEuNDUzMiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImRkNDhjNGY3LWZmMTgtNDlhMC1hNzQyLTJkOTM2NTM2NDc2MiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0805000000000000
        5⤵
        
        PID:1620
      - C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe
        
        C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a8,0x2ac,0x2b0,0x27c,0x2b4,0x6df0e1d0,0x6df0e1dc,0x6df0e1e8
        6⤵
        
        PID:2456
- C:\Users\Admin\AppData\Local\Temp\1001086001\Akh.exe
  "C:\Users\Admin\AppData\Local\Temp\1001086001\Akh.exe"
  2⤵
  PID:4712
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:1616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3700
  - - C:\Users\Admin\Pictures\MqRMoMKyTztZ6xRDtkKviuxi.exe
      "C:\Users\Admin\Pictures\MqRMoMKyTztZ6xRDtkKviuxi.exe"
      4⤵
      PID:1080
  - - C:\Users\Admin\Pictures\6pIpqAnXElWoBC5HebjvbPgg.exe
      "C:\Users\Admin\Pictures\6pIpqAnXElWoBC5HebjvbPgg.exe"
      4⤵
      PID:5364
  - - C:\Users\Admin\Pictures\qqoF5IvXrgZGYPms59QdScfo.exe
      "C:\Users\Admin\Pictures\qqoF5IvXrgZGYPms59QdScfo.exe"
      4⤵
      PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3784 -ip 3784
1⤵
PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4656 -ip 4656
1⤵
PID:3064

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5832 -ip 5832
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5832 -ip 5832
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8d6ec9a7d8078ca4990c63a0c53e09c

SHA1
e397f594e2ae93c1ca64c7e992c453720d5eb490

SHA256
2baded913bdcf38269882bd833761b6563f389db0648bbb1f637e0495720dfdf

SHA512
7b646011506ecd0b61c20797e6ae4c6cd4c48200f130ef81a18c0e12d2bd73fe0d3c864c1059def4f711cb992ab6bf839c505fdc2a24aa9990d56839e92a1126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1d0e6e1e283029a61f00b1feb3455913

SHA1
4dbdf2960df3d5dbcabffc6d4aba2f5c75bf8f1c

SHA256
f42748e16be7dd3fbc6c71dc4c36558605433d7c64e6a6de028cf6431c9f061e

SHA512
fd313f8a679c8c062100264e9ba0b48ba561837488efa2763c59b3048faf1deb5edc39da750dd5a53a17bdd32a5a0db05dc30db59165794b27146dca68e3983a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
037cafe91f380f1eb2888179b9533d5e

SHA1
b0a8e7de18f80e81d25882651a0ba2cc1c3e0905

SHA256
7e61fcb95b4f2cfa45ad961e8d74c9349d96e61d81c693bed9cd5b8ad602ba73

SHA512
9a015c14584dc916ff0a9965263935d1f80b9b563c935f48e61acabeaea3893243c23af5de4a0242ef815268c86bfcb181764d2cde7a2c7ac69b7f65e661e5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b8ae4cdba68765e2727ec9cfe0a81fc1

SHA1
301ac701091a840e32cb8c2a64b70f0d1a9e1a47

SHA256
16201a8dcce23979b3981b320f76d969d4f28a215ed1a0dd6495b380d1a2b04e

SHA512
31609fed23d350ef1de9ac4fbfc95fdb44fda2bc31d43bbf370efdf15d48d95cb98f0328f15afa65c9ae826f89c9eabdc8a9cd456fc3665a9ff66da21a707d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
58ce8753ba10dd813c4f8728dfec784f

SHA1
4c2d0ad88270a0825c86a93ba88785bfdcb0873f

SHA256
60d9cfd85e99db4b776c731e3b26b399e31636ad3103bd80ddd67ff83c81daca

SHA512
cf9e099fdba487c914b5a922d7706c8af8c3e4bcf86e734cd7e6c2ece9d9b1d0b4edbdc3e5e2a954253dff53e1f66fb2a6bd5f1cacaa20fad646b36090535bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ab20073a321ca2523d6dd6cbb83da81

SHA1
9234ff5e060df29dac50137e977bec97fa97d48c

SHA256
1ef7694af8566bf1edcb8b201037a4a5a8d13562274cdb21c659a1714d8e21a9

SHA512
70d1604e9b19b8d86833571829e8903d0f1afcb079d212f193bbe7f986e667ea7b770fabac8df2d14a79fc89892a3f91412b28a0efb0a5d2a5ae54687a7f393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
bf2b428250d710cd9b61aeac205cebe5

SHA1
bf4e97656d6d7cf5f20590b4e1b0bbe7245a1bf1

SHA256
00a647a2d5971e2bb1f5dfc83725bae0d5123d63a2e617a496e266d3378cf073

SHA512
81a2b87e173f9ee1abf2f68c79611d47d88b74ef5b6a45693e17d67bbc6c1e9eeb360888eb2f2d1b51ef9640175ec00e4999b252899c9e8c1ac19e022962943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe

Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe

Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe

Filesize
3.0MB

MD5
8444eaf15ee11d044dd6133b0268a0af

SHA1
fcbd127ca09dc689a55687e4c99c2460f2dd703d

SHA256
81d926b412b4fdb5f3839fdd2e1b43846ecd840effceb61e8986e73b59bd556e

SHA512
24045f8dd31c21e46923a6997fbf9f9279b9ac0dddcfef181a37ce37710236ad0ac0467bf98a96e911f996707fe91b7f1dffba63600200b319f79812d6fed0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe

Filesize
3.3MB

MD5
584b95fa5d21e178c978ed9171473514

SHA1
f3f67fd04f7539b73e6fcf3b941d279212fff907

SHA256
2a14c443a77b0333cc9646bc676e8c9bcd8789904f3e6b3b73ad8c604649bdb6

SHA512
47fe759e2908050bcb9314a9d4cb6a807ff201847bd898a8ff73c8e96f18dd8e7f39e5446e3fa4e73444ba15e4698a2764f3a98bc8ab8897279e25b388aab1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001086001\Akh.exe

Filesize
3.3MB

MD5
7429ddf0aac01ae35256d827a9891668

SHA1
d00e1b75ab9de2e78df817d28c4f2eb951ba586b

SHA256
9c1e847f479e3b5570b6035352d3bbf2aa72a837eb7898f6a7d26cebcb8c8e06

SHA512
e47099dc64e4e331b1084e8c3532c6fe0d6538d46480eb1d03af286fc81c7a3a593c8dea864fe00caf846ccb5fb47d7b9ffc4d5e3864c3fabe237fbfb0229f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\831553292808_Desktop.zip

Filesize
152KB

MD5
98dc83f6533de3902d9152341a73adbe

SHA1
e2e26a40ca533e6eef77c5df185216d07872ba21

SHA256
c6612bf609153678b68bd1a3cfdc53b93c7522334e63303ebb430fbb6aa39c6e

SHA512
7dad5edf23ce946774c7e489367ded32098b5d5ddf84516c318cd92aa31fce85531f7893f0c1cf9418773aeb0c5def2030187b369313dbac25184abd7daa39c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404011932408855188.dll

Filesize
4.6MB

MD5
117176ddeaf70e57d1747704942549e4

SHA1
75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b

SHA256
3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af

SHA512
ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp4ADF.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\UseGroup.xlsx

Filesize
152KB

MD5
1ef779e7b0e4069545c28488547b02ce

SHA1
f1ce6840f98b68d5f79b5af0dd232985a8da600b

SHA256
9091eb165690e60ae2da734fdcb830b03351b4b0d4bcfdc7b1c703bb21f7297d

SHA512
e2b8d4d4b8eb0a5ee528928e3c9d1b771ebf0d93b2c8343dcc59999aeb430e0c032c78983e4d8846304c5b7ef06c30841867ca44225b0d2d7535a937a1fe0cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcd4nzz5.z1c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB63.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCAE.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1wo.0.exe

Filesize
272KB

MD5
6f49a7ef8b2088c9c3904d40af1a9cf1

SHA1
c39e6b8d498f6873fb70b53022a7dccc1ba940fd

SHA256
a5b8a07f40e669b755d3522d427510872bec1b05cf93278b163975ad6ecbc473

SHA512
bc265d70d080955ed37f0e0218d08b139a8a6f2277c3c754363c0fcf6d86dda42b140b99eb8f38343e9af33d9dc2dfeefeff4ee143beb21adfdfc85991203e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1wo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
6557af7c0cf20cdeeaff1e92e6ed5fbf

SHA1
6f62f5d235815f0dd8765050a9201471517921bc

SHA256
79c1248807fefb637b88c6245dd75b8402127cce99e946ecfec7ee69eb40a59b

SHA512
caa17b21b9b03d0375f46e3169ba64d75e0535fa46bc644f9d2429aa3ab22b59a38bb092ae516b4c3ca824e317f44f08eb42c18ee5097d462a8e289e01be46c8

Download Submit
C:\Users\Admin\Pictures\5sVLZFH7HbrE7WT35W4cvEB1.exe

Filesize
412KB

MD5
94b539a7ad655bd757a153f47a032de1

SHA1
6ed9fc2383a065d41c7b68883b184694323c5f37

SHA256
8a90bffa0ddf162f33a621c70a346231f3a7d042436ef939448312d85e9eb958

SHA512
55770fb6dbadab9d472419e9c7d4e351379148ce10b2ce2b9d3120210059a34aa9343fa2aa841051de95475af4085a148eec623ad44dc8348443627b8cef6715

Download Submit
C:\Users\Admin\Pictures\MqRMoMKyTztZ6xRDtkKviuxi.exe

Filesize
2.0MB

MD5
c94a9cc5528e5a81aea3842880d4ed42

SHA1
86e03988749c4fbe2faea5b361cb9aa70c230832

SHA256
18d5c173da362ebd9659335c6f5c5991065f041eaeea2b27f6c52dcab9393888

SHA512
6077bdd2b01425024c64bcdc6a9d9c39dd31636b6858fdee7498ce61e463c64f030a5eca989bdf8e563c35239fbb36d318e966338b18024ebb893a8f38a462b5

Download Submit
C:\Users\Admin\Pictures\WsX11tzqSKr3VgEEUHTh7Hmp.exe

Filesize
437KB

MD5
7960d8afbbac06f216cceeb1531093bb

SHA1
008221bf66a0749447cffcb86f2d1ec80e23fc76

SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84

SHA512
35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

Download Submit
C:\Users\Admin\Pictures\h41cD4QeQu5RINklRcAha61D.exe

Filesize
4.2MB

MD5
5576efc572721e582c2b5ead41186034

SHA1
3e851ccf866882d0377a1169c8bed8519723c2b7

SHA256
2c2cc50db923d9e333acda184fe709eab0ace5938675a62f4004f33a13ad5600

SHA512
cb708114661cc0c20cce7b15a03819a9e3da1c46f2c08999e2d27358936be70ec829e2efc7aa20e86e6dcdfb9be30b62407d70a836a86c14a804c6d09e0f9899

Download Submit
C:\Users\Admin\Pictures\ncOL1zZnotonqiYcGfBSBjHN.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\oby4OFVlac2SOUyK92uNmF2X.exe

Filesize
5.1MB

MD5
b0193eb1a32ada3f738bdc4c9c0600aa

SHA1
0f74f4dbe6ad704d3abe1fba671ec342bfd1e1fa

SHA256
0b17ee96b3dc4bbbf8b286720c02e67184bd227aeb66b03508f7e08526caf0e4

SHA512
81d2e721a96ee322682583a54472b775a4d0bdbf2cb89e038a36ce7346c65a81aa80eb1f9369ccf0ce67f7b139cfe3df442950e3ed86aaafe44d596c09e4c9c4

Download Submit
C:\Users\Admin\Pictures\qNUzTdatuAQKQlagXbMvBhTl.exe

Filesize
4.2MB

MD5
3ac8d0f3c5311cf7394e9c1f2ab9b58c

SHA1
a7f26b5da062a3f2127add1559009bd95002d47b

SHA256
8f96e2f1fe38aceb850b151ded4512b8d62a5975a6a31f71850a593487f23062

SHA512
fc5fc5a0bbd87859e44ebbbc0f690da619937eb566435233fc9a07a26fab7c98839bd311c0076b1b14eae982a0bfeeba4334dcd1ec710c71788cb6f9d8e59824

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
6e6edbcc005adbeacc660f6c19d8202f

SHA1
0d792648a9c772a808013637514b8b371b653d96

SHA256
846ba2a26b6a759403feabc5110d02ae58a9e359a6c04db106d16a37e457f0b7

SHA512
ecfcb343a68c8ba7b19c1d57da4dab387023f845f998971c69d73ca6eb403752e112b2d256a14e7138e4b4ab30ee31ec25591066800ebb1a8dbbad1ef966b1ab

Download Submit
\??\pipe\LOCAL\crashpad_2212_RYZFPHRJRDGOZPVI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-106-0x00000000007E0000-0x0000000000830000-memory.dmp

Filesize
320KB

Download
memory/640-125-0x0000000006230000-0x0000000006848000-memory.dmp

Filesize
6.1MB

Download
memory/640-194-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/640-129-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/640-131-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/640-134-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/640-107-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/640-132-0x00000000053B0000-0x00000000053EC000-memory.dmp

Filesize
240KB

Download
memory/1764-135-0x00007FFB3F370000-0x00007FFB3FE31000-memory.dmp

Filesize
10.8MB

Download
memory/1764-133-0x00000000000C0000-0x000000000014C000-memory.dmp

Filesize
560KB

Download
memory/1764-137-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/2284-321-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2284-324-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2312-181-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-29-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/2312-1202-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-21-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2312-22-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2312-20-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-28-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2312-975-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-105-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-19-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-23-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2312-24-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2312-110-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-669-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-25-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2312-26-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2312-462-0x00000000002E0000-0x000000000078D000-memory.dmp

Filesize
4.7MB

Download
memory/2312-27-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2408-2-0x0000000000A50000-0x0000000000EFD000-memory.dmp

Filesize
4.7MB

Download
memory/2408-7-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2408-10-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2408-11-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2408-5-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2408-9-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2408-8-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x0000000000A50000-0x0000000000EFD000-memory.dmp

Filesize
4.7MB

Download
memory/2408-1-0x00000000774D4000-0x00000000774D6000-memory.dmp

Filesize
8KB

Download
memory/2408-6-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x0000000000A50000-0x0000000000EFD000-memory.dmp

Filesize
4.7MB

Download
memory/2408-3-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2408-4-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2472-1035-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2520-187-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2520-180-0x0000000000590000-0x000000000060A000-memory.dmp

Filesize
488KB

Download
memory/2520-190-0x0000000002900000-0x0000000004900000-memory.dmp

Filesize
32.0MB

Download
memory/2520-185-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/2520-193-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/2956-662-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-51-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/3112-60-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/3112-56-0x0000000003360000-0x0000000005360000-memory.dmp

Filesize
32.0MB

Download
memory/3112-50-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/3112-49-0x0000000000ED0000-0x000000000108C000-memory.dmp

Filesize
1.7MB

Download
memory/3700-1143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4200-159-0x00007FFB3F370000-0x00007FFB3FE31000-memory.dmp

Filesize
10.8MB

Download
memory/4200-160-0x0000000000260000-0x00000000002E2000-memory.dmp

Filesize
520KB

Download
memory/4240-196-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4240-195-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4240-188-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4416-128-0x0000000006370000-0x00000000063E6000-memory.dmp

Filesize
472KB

Download
memory/4416-103-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4416-93-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/4416-92-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4416-192-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4416-91-0x0000000000DD0000-0x0000000000E22000-memory.dmp

Filesize
328KB

Download
memory/4416-136-0x0000000006B30000-0x0000000006B4E000-memory.dmp

Filesize
120KB

Download
memory/4416-108-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/4416-226-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/4416-109-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/4428-54-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4428-61-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4428-186-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4428-182-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4428-62-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4904-1057-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5080-1103-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5092-281-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5092-275-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5160-895-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5160-1105-0x0000000000400000-0x0000000000862000-memory.dmp

Filesize
4.4MB

Download
memory/5204-807-0x0000000075BC0000-0x0000000075DD5000-memory.dmp

Filesize
2.1MB

Download
memory/5204-797-0x0000000002360000-0x0000000002760000-memory.dmp

Filesize
4.0MB

Download
memory/5204-798-0x00007FFB5E0F0000-0x00007FFB5E2E5000-memory.dmp

Filesize
2.0MB

Download
memory/5204-794-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/5372-1224-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/5484-1234-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5796-1040-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5796-1046-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5832-789-0x00007FFB5E0F0000-0x00007FFB5E2E5000-memory.dmp

Filesize
2.0MB

Download
memory/5832-788-0x0000000003F30000-0x0000000004330000-memory.dmp

Filesize
4.0MB

Download
memory/5832-786-0x0000000003F30000-0x0000000004330000-memory.dmp

Filesize
4.0MB

Download
memory/5832-732-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5832-727-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5832-792-0x0000000075BC0000-0x0000000075DD5000-memory.dmp

Filesize
2.1MB

Download
memory/5964-1232-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6028-1102-0x0000000000BE0000-0x0000000000F94000-memory.dmp

Filesize
3.7MB

Download
memory/6028-781-0x0000000000BE0000-0x0000000000F94000-memory.dmp

Filesize
3.7MB

Download