lumma | 2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
Size

333KB
MD5

8a96e389677c0bf9506ab0402d14eb1a
SHA1

b1e6ea96f41139a95e527cbe9f350c07072df2dc
SHA256

2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a
SHA512

7c7a85e4619a08db8fe39ed8e1dcc777e7aec066a001c080e974309885a8fe8787c130e5afdcfd2ae78cc0f8476a0df355fb66046163ebfa0f06b18402d9691a
SSDEEP

6144:VzTzhHJ+/o/7EPDf3mzZf7chbZ5KqbI5T:RTzhHJSSqbAZq7E9

Score

10^/10

lumma redline smokeloader zgrat @cloudcosmic (https://cloudcosmic.store)logsdiller cloud (telegram: @logsdillabot)pub1 backdoor bootkit discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

5.42.65.96:28380

Extracted

Family

redline

Botnet

@cloudcosmic (https://cloudcosmic.store)

87.121.105.175:14845

Extracted

Family

lumma

https://strollheavengwu.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-120-0x000001AC7A5E0000-0x000001AC7A6E4000-memory.dmp	family_zgrat_v1
behavioral1/memory/4124-144-0x0000000000400000-0x00000000004C0000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-19-0x00000000002B0000-0x0000000000327000-memory.dmp	family_redline
behavioral1/memory/3076-20-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1712-29-0x00000000002B0000-0x0000000000327000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\84E9.exe	family_redline
behavioral1/memory/1388-81-0x0000000000C60000-0x0000000000CB2000-memory.dmp	family_redline
behavioral1/memory/4124-144-0x0000000000400000-0x00000000004C0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3332
Executes dropped EXE 9 IoCs

Processes:

6D8B.exegutiecj84E9.exe8C1D.exe9120.exe947C.exeA507.exeTarget.exezippolfeaex.exe

pid process

1712 6D8B.exe
3496 gutiecj
1388 84E9.exe
1116 8C1D.exe
2816 9120.exe
2956 947C.exe
4988 A507.exe
4068 Target.exe
4804 zippolfeaex.exe
Loads dropped DLL 1 IoCs

Processes:

A507.exe

pid process

4988 A507.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

92 drive.google.com
93 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

8C1D.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 8C1D.exe

pid	process
3332

pid	process
1712	6D8B.exe
3496	gutiecj
1388	84E9.exe
1116	8C1D.exe
2816	9120.exe
2956	947C.exe
4988	A507.exe
4068	Target.exe
4804	zippolfeaex.exe

pid	process
4988	A507.exe

flow	ioc
92	drive.google.com
93	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	8C1D.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6D8B.exeA507.exe

description	pid	process	target process
PID 1712 set thread context of 3076	1712	6D8B.exe	RegAsm.exe
PID 4988 set thread context of 4124	4988	A507.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1704 1712 WerFault.exe 6D8B.exe
3356 2816 WerFault.exe 9120.exe

pid	pid_target	process	target process
1704	1712	WerFault.exe	6D8B.exe
3356	2816	WerFault.exe	9120.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gutiecj2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gutiecj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gutiecj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gutiecj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe

pid	process
3292	2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
3292	2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exegutiecj

pid process

3292 2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
3496 gutiecj
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exechrome.exe

pid process

4920 msedge.exe
4920 msedge.exe
4920 msedge.exe
1948 chrome.exe
1948 chrome.exe
4920 msedge.exe
1948 chrome.exe
1948 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exe947C.exe84E9.exeMSBuild.exeTarget.exezippolfeaex.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeDebugPrivilege	3076	RegAsm.exe
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeDebugPrivilege	2956	947C.exe
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeDebugPrivilege	1388	84E9.exe
Token: SeDebugPrivilege	4124	MSBuild.exe
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeBackupPrivilege	4124	MSBuild.exe
Token: SeSecurityPrivilege	4124	MSBuild.exe
Token: SeSecurityPrivilege	4124	MSBuild.exe
Token: SeSecurityPrivilege	4124	MSBuild.exe
Token: SeSecurityPrivilege	4124	MSBuild.exe
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeDebugPrivilege	4068	Target.exe
Token: SeDebugPrivilege	4804	zippolfeaex.exe
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	3332

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exechrome.exe

pid	process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exechrome.exe

pid	process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe6D8B.execmd.exeA507.exeTarget.exezippolfeaex.exechrome.exemsedge.exe

description	pid	process	target process
PID 3332 wrote to memory of 2440	3332		cmd.exe
PID 3332 wrote to memory of 2440	3332		cmd.exe
PID 2440 wrote to memory of 3624	2440	cmd.exe	reg.exe
PID 2440 wrote to memory of 3624	2440	cmd.exe	reg.exe
PID 3332 wrote to memory of 1712	3332		6D8B.exe
PID 3332 wrote to memory of 1712	3332		6D8B.exe
PID 3332 wrote to memory of 1712	3332		6D8B.exe
PID 1712 wrote to memory of 3608	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3608	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3608	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3576	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3576	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3576	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 1712 wrote to memory of 3076	1712	6D8B.exe	RegAsm.exe
PID 3332 wrote to memory of 4972	3332		cmd.exe
PID 3332 wrote to memory of 4972	3332		cmd.exe
PID 4972 wrote to memory of 4408	4972	cmd.exe	reg.exe
PID 4972 wrote to memory of 4408	4972	cmd.exe	reg.exe
PID 3332 wrote to memory of 1388	3332		84E9.exe
PID 3332 wrote to memory of 1388	3332		84E9.exe
PID 3332 wrote to memory of 1388	3332		84E9.exe
PID 3332 wrote to memory of 1116	3332		8C1D.exe
PID 3332 wrote to memory of 1116	3332		8C1D.exe
PID 3332 wrote to memory of 1116	3332		8C1D.exe
PID 3332 wrote to memory of 2816	3332		9120.exe
PID 3332 wrote to memory of 2816	3332		9120.exe
PID 3332 wrote to memory of 2816	3332		9120.exe
PID 3332 wrote to memory of 2956	3332		947C.exe
PID 3332 wrote to memory of 2956	3332		947C.exe
PID 3332 wrote to memory of 4988	3332		A507.exe
PID 3332 wrote to memory of 4988	3332		A507.exe
PID 3332 wrote to memory of 4988	3332		A507.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4988 wrote to memory of 4124	4988	A507.exe	MSBuild.exe
PID 4068 wrote to memory of 4804	4068	Target.exe	zippolfeaex.exe
PID 4068 wrote to memory of 4804	4068	Target.exe	zippolfeaex.exe
PID 4804 wrote to memory of 1948	4804	zippolfeaex.exe	chrome.exe
PID 4804 wrote to memory of 1948	4804	zippolfeaex.exe	chrome.exe
PID 1948 wrote to memory of 2804	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 2804	1948	chrome.exe	chrome.exe
PID 4804 wrote to memory of 4920	4804	zippolfeaex.exe	msedge.exe
PID 4804 wrote to memory of 4920	4804	zippolfeaex.exe	msedge.exe
PID 4920 wrote to memory of 2720	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 2720	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 5064	4920	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe
"C:\Users\Admin\AppData\Local\Temp\2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\52CE.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3624

C:\Users\Admin\AppData\Local\Temp\6D8B.exe
C:\Users\Admin\AppData\Local\Temp\6D8B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 372
  2⤵
  - Program crash
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1712 -ip 1712
1⤵
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74CF.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:4408

C:\Users\Admin\AppData\Roaming\gutiecj
C:\Users\Admin\AppData\Roaming\gutiecj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3496

C:\Users\Admin\AppData\Local\Temp\84E9.exe
C:\Users\Admin\AppData\Local\Temp\84E9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\AppData\Local\Temp\8C1D.exe
C:\Users\Admin\AppData\Local\Temp\8C1D.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1116

C:\Users\Admin\AppData\Local\Temp\9120.exe
C:\Users\Admin\AppData\Local\Temp\9120.exe
1⤵
- Executes dropped EXE
PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1124
  2⤵
  - Program crash
  PID:3356

C:\Users\Admin\AppData\Local\Temp\947C.exe
C:\Users\Admin\AppData\Local\Temp\947C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2816 -ip 2816
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\A507.exe
C:\Users\Admin\AppData\Local\Temp\A507.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4124

C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\zippolfeaex.exe
  "C:\Users\Admin\AppData\Local\Temp\zippolfeaex.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce9ae9758,0x7ffce9ae9768,0x7ffce9ae9778
      4⤵
      PID:2804
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:2
      4⤵
      PID:5084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:8
      4⤵
      PID:3376
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:8
      4⤵
      PID:4076
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:1
      4⤵
      PID:444
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3248 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:1
      4⤵
      PID:2252
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:1
      4⤵
      PID:4400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:8
      4⤵
      PID:5152
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4836 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:8
      4⤵
      PID:5240
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1768 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:8
      4⤵
      PID:5292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1980,i,6546456828477586300,3713323166243903800,131072 /prefetch:8
      4⤵
      PID:5312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x230,0x234,0x238,0x22c,0x334,0x7ffce9462e98,0x7ffce9462ea4,0x7ffce9462eb0
      4⤵
      PID:2720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2808 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:2
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3136 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:3
      4⤵
      PID:4732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3568 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3652 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:1
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3820 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:1
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3928 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:1
      4⤵
      PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4820 --field-trial-handle=2812,i,4009844940692686446,6986109546231390115,262144 --variations-seed-version /prefetch:2
      4⤵
      PID:2000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
760b5535118ea0f13c4968ab4d6916de

SHA1
17bb9e2493e506d9cdabe1d6c19224fc1c80f146

SHA256
ab474fc20c72138294fddfbe2cab6874277958fd8f896ddfcae584f64c5e58cb

SHA512
a35bc8a6abe126572b9b1418b6144554bff141ee05e10d0215c9847259ae282b82d5890f9725a7bb83d8ac86653f8d037ec08b599f6e4d7b5fcec6c5bb19b09e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk

Filesize
2KB

MD5
27f2ff48bf5d224633f3c653f413304d

SHA1
645799badd13a5f03bab831ab5d99c875be7780f

SHA256
066e7406a62a5ea3989339a0391b53111a9d1e0b4377f03256f7f36dcd2fd872

SHA512
97ead3d8ce19a6a2fe4222d74ea322dd4321ff2dcbb1d453c58514b546dd8039c4d2added9278209868e7bbc2f1dceaeca6a9fdf6c81e5bc945d36cbcffae5f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6530d756-dda8-4dbf-aede-05021d8073a5.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1b483689689a2791dac6b0e384cc19e5

SHA1
541201ddc863c0db6a2111d7a38f42789ddedd05

SHA256
ee285708ad38876fa3f2772b97484bb9e21e1882aced20c7a8b1094acc000b85

SHA512
1789ae3bf5ebea9f4914144c8d3e79295e551087b3552d32af2baf41d25932049421fecc243c86a8cf79bf982d2f001b41826e2fc12dee4862795def3ccca932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
2029969d91d19005e8754c32b362617c

SHA1
6695a3bcc80f3538f9b27283b3e627a12ecd9a2c

SHA256
e6d6bb49f6fec03942f279abeb8ac023147fc98db684464fde4db17fe6682bc7

SHA512
aa097aae404e521a059c5c19e9f94c50bd3a07414645880b3e99a615c74864355e9389dfbd37803323f877989dc0dfb3ab249601da56b704646fd243e1e51fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
264KB

MD5
dceda69777b2fc3a653341f6b72c4201

SHA1
9317a265fe19c8129137dfd15ea262ffc91626f7

SHA256
85b5bac69e8aa31693e47c3418705435d97e7db05c6b81a3e61dd4385b26863a

SHA512
05a53bf8c64f3857ae0d67d1e5b5da354f2fc1b35144feb1343800f5d8a451552e01428ffa2ec275dddaa7114d501d9526768400f6bce94e64a58e4c1f360873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5a235886-f774-4182-94b5-bdc994b52890.tmp

Filesize
36KB

MD5
679bb8b86fb51605db2163dfbcfa0785

SHA1
48f5264081b09fa827b42b8703bc468249cfa519

SHA256
800b926d4d02a57f3644e1448ff35461c093ec5b94b1294b6ef98a7d398d4d99

SHA512
ef42ffa932e9f74afa3cc376608757ae3e4c1235ceb1d2732f809a3e4314c92ec647e7a7ec9a5aeed9ac81bfd9d2b34c20b985675c4ac086c035b7dee77a22f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
19604e06218bc50b36b334abf0eb3dd1

SHA1
f1cc5d41f2089cf61e5eb1535b25064b6a77d714

SHA256
92d89ae2e913e627faeb1e13e3449180d6641de6ed8a1adedb2d67986825a2bb

SHA512
a26cf1ed4582229d1978b8d52f80c7da7b8a44661f6523cb33c8c378378095f7ed657cdb08090b84cc41a012a882b3d0070e07e2fb3f502e573c8b3af8f14a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
f2815fdf6b474ba36f742c75051c2075

SHA1
c616f0132358243e0a73507e115b3af7baadb42e

SHA256
32cda78c947de4d5807a3d28b3b0dc5823d6f00a87a20c2c28d00628812105bb

SHA512
8c10949eb2de770d6f8010897c067ff7acc4eaa1a7b9de9196dcb309621cea97b7c109375845c375711cf1fa4ccf436ed872ff03bb7e230110a5fdf20e891de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9ce3f79aed20287b88b5a3a489b414a2

SHA1
b5de12f2f6b835b209a9bba952c5f30b183c3b9f

SHA256
161fd2eb2e4580b543abeee9aa1d69d22215b3884b9e6e9cb73414fd0c8b3c8c

SHA512
4038750857f1007bb4939dd5c0d2d1da3af6aa0c587f83abb50f112e2832d398f1fd8a899ef2d684eaca3ad439e80a50681decad63840feb095a2d83a737c908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
31KB

MD5
baab3a413964ff39c1a777055649fe77

SHA1
b4890a787eb4ad68ce7779db0203971b03e2790a

SHA256
4b26f84ea768e21e1eae4fa6df97b909dcf813e15e1abd9c1e9f8fe9731f7adc

SHA512
584dd9dc5263fa6e9d9c0e6414ab0f9bc228007892fd536b09d064929ebf7174a4deb1220286e6c1369b0e4b8f50a9db5d12b566fe5574b5c67a2d2df9d9bd7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
35KB

MD5
c040d63e485e25f7205dca240d062ddf

SHA1
26f7fdce2217f0c17cd515292008ef20f185ad20

SHA256
0f32fd5328ca09efc3cf31569163834c63e99555b2659afa23a7c7c99b893f84

SHA512
4e002cbc7c34a1cac78ea0b93d1352b902724a5ad83f86f6c2a048d07e7523babb3f54f9c95939d236cdce10bcd280c92003c7f8c8b63cd24d2171f7adb7ba01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
c7cfef370180d22a013cb9192fd24e10

SHA1
f70709882e22100eb706439cc4dc0e61d1c06ea0

SHA256
04676e9d464d9581dec0629d59e0944a1aa949039e7becd5948073213dd1f2a3

SHA512
fe52c077d2419eaaffd2a55bc1eefff8f550f798f6fa695d7370962d7f8a55b5779c7d9fdc70217d98842341f97ce5c0eef3b033bc69dc25d1853661d51d1fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
2d2c942364a994b1b616e623341959d6

SHA1
ba560ffd76d58c7d4d88cd8bb5ff4565c0ae675e

SHA256
69f8e94c5f1021becc8c53f796cf6f56fd7998627de928d4459f417b761ca646

SHA512
b89c410e4e7cc5623206555b6ba7743aa7b4890ca92cccb46326e3492cd6104dd35fde55f18c882ca998df7255b42448aec50ec24bb1148d24ea8afc2862050e

Download Submit
C:\Users\Admin\AppData\Local\Temp\52CE.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D8B.exe

Filesize
469KB

MD5
a1d0144edede68512a25d98dd2f4be2e

SHA1
ceaf8a8965f8584ed65940f473d78887a9719da3

SHA256
cb8919dfe48ae301848c3d3bc79db7c24b40cdf044ceadbb0b21c0301d8b80b8

SHA512
b5ee4228f0d6b09f693b875290df218e5c58be44ca148b4a3d88963179e803ac57e8a15d9a8289b28dda714d600c70f884474dfb051d8be1ce6d3e65fe889ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\84E9.exe

Filesize
304KB

MD5
e9c6cf15980688c2d0eca2b8fd36cb37

SHA1
328078770d6df3042d7737daf0c1cdc61a4180f5

SHA256
6c70db8bdfc6f6506ee80fcb7c3c6152e81e464b29f0b6cbe2294997f7531b53

SHA512
e6a39a1345256896bc78a8184d5020026d125fe54cfe48e89247169eeb5c59bcab4a00a91b1078bbaf71677868bf29b4b56768183dc9d595af4f04645299089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C1D.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9120.exe

Filesize
423KB

MD5
52dbd9fb21a8fdb8fd064321b85145ca

SHA1
72abaea82050390b1908fffd99dfacd4edb49f45

SHA256
71d8a234b7afb0733a7aa5fb0bed7ecd410e58b8cb4faaab87cfa1376b2613ea

SHA512
4a3c6331aa31e2ed5b2c3ddd5f06310238fc682216ebbfa9fd2ee8cd369d0d3446e1c890e5585f06057de0e5c35e0df7d4d5ed57967a914445af18d043a860d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\947C.exe

Filesize
633KB

MD5
1c762a2cd186f1cde4b9e5d743eca3b5

SHA1
a0eff9fa7b5ada96c8acf483de9519a9e2548d80

SHA256
a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

SHA512
d43eec5905f9715c6b342232c2432ba1e91abe4ee514ccdc45706a7ffede2a1cf5589c0da7a0f5d6c70a8a26afad9394aa93222f475be4797607d7c0208d154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A507.exe

Filesize
4.8MB

MD5
2d41e117f7b73d3b0b8804794b4fe9dd

SHA1
f0bd15035e0bf67f621c7e87c65b62c007e79fda

SHA256
5b88fdc4c1564305f8883e5ec48cadea105d082a5a1bae6a17c57c81c01069a7

SHA512
3932ba5248d7d6ca7f9164c9df9f7d8ef767dcc0bdd8ad753af61a90e4e9e4ab9ddee6aec4ea251f0b7e2c773814551dcd77e63edfbe29c3592f1ad5276722ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extension\background.js

Filesize
7KB

MD5
6fa9d4326d3b323d6c454f2d166c0dcc

SHA1
047219d7eb86a3d6fb20f9659fd0c64d9d0d0a47

SHA256
bbf52a51eff04394534e9c3b058f8884abf32448579475ccab886d5c809e0add

SHA512
2fedade2e0dca7e4a9ed9d8a058034b637b02db887b74b147262f1378523c58bfa17e09c91ef0da53134427ed7c5131130bd276ff98f467aa2f1dd2507d167c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extension\js\content.js

Filesize
1KB

MD5
9ab0f9320495b406fddb6de1730652cc

SHA1
a6d35a74dc53289794c9a05dc1ad8c03878e153a

SHA256
ab913781705a8841f3c3973af4cfeb14c7ed9919a08ff810b920dca17d69cbd1

SHA512
c527057c8af9cb4a55a71ff5a8010706119fd19b5c354dae046cd498f350c422b10578a3e3c2423e385c81d76d3ece3b057c5f02f8c7b76769e18c5e2aa023fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extension\manifest.json

Filesize
841B

MD5
9358845d5150234f2c91c6c9b8f73ede

SHA1
bcc689cb7b97b8f726c966706e1c39e90194744a

SHA256
30c327ec2dab6b33eaac97c17c036f199c986f949d75fe56c87fe84ebc965b60

SHA512
fa6b069f29e176cfb7dd036b38bddf09c3114b85ad3b41d29f1195ef4196c8d80374abbf636411447d76b65312c72c625af3f9463d9342ab07710fd2b4a19d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7F2E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zippolfeaex.exe

Filesize
65KB

MD5
8c4465565bb876235f68bcddcca4f3a7

SHA1
93753649fafe334d2bd1c5c96027c66bd6cfbc6c

SHA256
693bb07dae2270661837d13b282adab93b5213659624b1899fb4e5354f38b80e

SHA512
f31d35dedb065c9a1d93051e1353458e8b7e6b6e62e8a060942111e4cd973a7292b9013d2ddf13de97603f6a97ede3f07c56a24ceec995e030bb30058c04c643

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
846KB

MD5
d0b35e6c99d48c4456db3f9fee7d25e7

SHA1
9b1c74529bf52607bb37bd6f2161dd8b442e77b9

SHA256
550e9ce8de15b9ef48f7f54df4075468b9dee17bfdbc53f7d65cf039ef1c86de

SHA512
e03976b1b902b7f9590811b84d58f99f09cd38469d6b96d8176c3f17d4c4c92beafe73bd4a77d3874529e47403c52992dd216f643b0d70f9acbaaeb25f7f8a43

Download Submit
C:\Users\Admin\AppData\Roaming\gutiecj

Filesize
333KB

MD5
8a96e389677c0bf9506ab0402d14eb1a

SHA1
b1e6ea96f41139a95e527cbe9f350c07072df2dc

SHA256
2a8e192a035947a6705a550743727df5e78c7196d4b74527381f49742c35cd1a

SHA512
7c7a85e4619a08db8fe39ed8e1dcc777e7aec066a001c080e974309885a8fe8787c130e5afdcfd2ae78cc0f8476a0df355fb66046163ebfa0f06b18402d9691a

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
f897950f6fc7104cb194dc945d0c9373

SHA1
b8f6a14fc0e3aeff234bac6cbff17ab93fa57299

SHA256
cf9c778b2c5aa6c4a304b80f5a142a0f79a0eb0a942606509f65705a2aa53b62

SHA512
82aab594de71e6eeacb1e079ca8efc37dfec1ddf48614e8bad8ca41574120c2f0b91f7b504238cee763b2791145e0613adab9866f317d40f297f92ef2658c2a1

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
417a135c520fac3f0f4549a455f91dc0

SHA1
c52989546620d45529374028c7a2a325842efc06

SHA256
3195500480fcb19a941c3ff9dda874a70388e9b306e9ad90c3f0ee3e40022a9c

SHA512
fc4709ebaa0ce2107c5ef7343de22ce1dac0cc1c29b989fed33f011edd8db7015693cb48cf40668b94178b66f4fff5ae3caed7d499ee7d87b1868493171f5c10

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
52e3f38557bc84b7845f1e9914b60276

SHA1
7f4d6ec636e5549e9b5e2b77c5efaa3d18dee03f

SHA256
974c64e7af9e27200b7c273e789c7061d22ac283f7b14ee94afe289651a182e0

SHA512
8e92f4e0f001413684cad06b72b10c6de8f9582e5f954ec536d303d8cd1d61dc4a7a3be34bc6b09e85ec1a03002b0a70efdc95b4aa7d99dec93975986ced931b

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
1aa4c8a8b942fc6bcb48eb0074a8115a

SHA1
9fd64716658829032a272d64fba6b5b0fcc2faff

SHA256
bde42a06c4b56700c437c20f3c8559ebbecb8470eb13f67ea0654e69c62441e4

SHA512
d14ff2c99de25c3cf0398892a1a5c34cf97a2a301c6d8391b14925f9d6105c3d0e25e4e19788db336d75a36b7274e6761beeebbda66ec0ada40f060e2d25afa3

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
22a05c828de6d19ac38248fa04882193

SHA1
24658bc6db24bf54760b1275d4ee39387c636470

SHA256
e3b35ac1de027e55ccbc9a1cea56d3f02c522134fea5a7f27fd495dd6dfb46f7

SHA512
e49895f9a3a4873a485c5923d0c5c101c85fb5fa77e1b1411b3d3179262fe6087fcd2b3356c8d4ef807adf167af8564fa355d159fada4219cc5e83d6c930cb05

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
\??\pipe\crashpad_4920_WIOESJZGWBAOEHIP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1388-82-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1388-102-0x00000000070E0000-0x000000000712C000-memory.dmp

Filesize
304KB

Download
memory/1388-81-0x0000000000C60000-0x0000000000CB2000-memory.dmp

Filesize
328KB

Download
memory/1388-80-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/1388-152-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/1712-29-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/1712-19-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/2816-137-0x0000000000400000-0x000000000405A000-memory.dmp

Filesize
60.4MB

Download
memory/2816-114-0x00000000041B0000-0x00000000041FB000-memory.dmp

Filesize
300KB

Download
memory/2816-113-0x0000000004390000-0x0000000004490000-memory.dmp

Filesize
1024KB

Download
memory/2956-119-0x000001AC780A0000-0x000001AC78142000-memory.dmp

Filesize
648KB

Download
memory/2956-120-0x000001AC7A5E0000-0x000001AC7A6E4000-memory.dmp

Filesize
1.0MB

Download
memory/2956-121-0x00007FFCE9C20000-0x00007FFCEA6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2956-122-0x000001AC7A5D0000-0x000001AC7A5E0000-memory.dmp

Filesize
64KB

Download
memory/2956-123-0x000001AC79CA0000-0x000001AC79CF6000-memory.dmp

Filesize
344KB

Download
memory/2956-124-0x000001AC7A560000-0x000001AC7A5AC000-memory.dmp

Filesize
304KB

Download
memory/2956-125-0x000001AC7A800000-0x000001AC7A854000-memory.dmp

Filesize
336KB

Download
memory/2956-134-0x00007FFCE9C20000-0x00007FFCEA6E1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-63-0x00000000071B0000-0x0000000007216000-memory.dmp

Filesize
408KB

Download
memory/3076-52-0x0000000006F40000-0x000000000704A000-memory.dmp

Filesize
1.0MB

Download
memory/3076-64-0x0000000007B10000-0x0000000007B60000-memory.dmp

Filesize
320KB

Download
memory/3076-62-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/3076-57-0x0000000007050000-0x000000000709C000-memory.dmp

Filesize
304KB

Download
memory/3076-56-0x0000000006EE0000-0x0000000006F1C000-memory.dmp

Filesize
240KB

Download
memory/3076-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3076-21-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-74-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-25-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/3076-27-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/3076-28-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/3076-55-0x0000000006E80000-0x0000000006E92000-memory.dmp

Filesize
72KB

Download
memory/3076-67-0x0000000008030000-0x00000000081F2000-memory.dmp

Filesize
1.8MB

Download
memory/3076-30-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3076-47-0x0000000006640000-0x00000000066B6000-memory.dmp

Filesize
472KB

Download
memory/3076-48-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

Filesize
120KB

Download
memory/3076-68-0x0000000008730000-0x0000000008C5C000-memory.dmp

Filesize
5.2MB

Download
memory/3076-51-0x00000000073F0000-0x0000000007A08000-memory.dmp

Filesize
6.1MB

Download
memory/3292-7-0x00000000044B0000-0x00000000044BB000-memory.dmp

Filesize
44KB

Download
memory/3292-4-0x0000000000400000-0x0000000004044000-memory.dmp

Filesize
60.3MB

Download
memory/3292-1-0x00000000040A0000-0x00000000041A0000-memory.dmp

Filesize
1024KB

Download
memory/3292-2-0x00000000044B0000-0x00000000044BB000-memory.dmp

Filesize
44KB

Download
memory/3332-69-0x0000000006E20000-0x0000000006E36000-memory.dmp

Filesize
88KB

Download
memory/3332-3-0x0000000002690000-0x00000000026A6000-memory.dmp

Filesize
88KB

Download
memory/3496-72-0x0000000000400000-0x0000000004044000-memory.dmp

Filesize
60.3MB

Download
memory/3496-61-0x00000000042B0000-0x00000000043B0000-memory.dmp

Filesize
1024KB

Download
memory/4068-182-0x000001D351CC0000-0x000001D351CD0000-memory.dmp

Filesize
64KB

Download
memory/4068-316-0x000001D351CC0000-0x000001D351CD0000-memory.dmp

Filesize
64KB

Download
memory/4068-285-0x000001D351CC0000-0x000001D351CD0000-memory.dmp

Filesize
64KB

Download
memory/4068-181-0x00007FFCE9C20000-0x00007FFCEA6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-183-0x000001D351CC0000-0x000001D351CD0000-memory.dmp

Filesize
64KB

Download
memory/4068-253-0x00007FFCE9C20000-0x00007FFCEA6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-148-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4124-147-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-176-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-153-0x0000000008310000-0x000000000835C000-memory.dmp

Filesize
304KB

Download
memory/4124-168-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4124-144-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4804-193-0x000001D5294F0000-0x000001D529500000-memory.dmp

Filesize
64KB

Download
memory/4804-205-0x000001D543660000-0x000001D54367E000-memory.dmp

Filesize
120KB

Download
memory/4804-204-0x000001D543690000-0x000001D543706000-memory.dmp

Filesize
472KB

Download
memory/4804-188-0x000001D529130000-0x000001D529144000-memory.dmp

Filesize
80KB

Download
memory/4804-190-0x000001D529500000-0x000001D52950C000-memory.dmp

Filesize
48KB

Download
memory/4804-189-0x00007FFCE9C20000-0x00007FFCEA6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4804-194-0x000001D5435D0000-0x000001D5435E2000-memory.dmp

Filesize
72KB

Download
memory/4804-195-0x000001D5435C0000-0x000001D5435CA000-memory.dmp

Filesize
40KB

Download
memory/4804-344-0x00007FFCE9C20000-0x00007FFCEA6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4804-192-0x000001D5435A0000-0x000001D5435AA000-memory.dmp

Filesize
40KB

Download
memory/4804-191-0x000001D5294F0000-0x000001D529500000-memory.dmp

Filesize
64KB

Download
memory/4988-146-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4988-136-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4988-135-0x0000000000650000-0x0000000000D6A000-memory.dmp

Filesize
7.1MB

Download
memory/4988-138-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download