Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 08:55
Static task
static1
Behavioral task
behavioral1
Sample
polas.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
polas.exe
Resource
win10v20210408
General
-
Target
polas.exe
-
Size
7.4MB
-
MD5
d15d3eb03c466f207dd401047da792bc
-
SHA1
cca4dd46f38bfc164a1840907a608fb657d471b0
-
SHA256
6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90
-
SHA512
432ff858e048358a323ed9dbbb533a2aad3648b521ffbc0e0d4cf5c02b5c65bd5b6e9f350736d65375a389efd36b4130fc1795a50f7d368a48d87afc50e7fdb4
Malware Config
Extracted
redline
@aBigF
ydmau.xyz:80
Signatures
-
Orcus Main Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1.v1mp.exe family_orcus C:\Users\Admin\AppData\Roaming\1.v1mp.exe family_orcus C:\Users\Admin\AppData\Roaming\1.v1mp.exe family_orcus C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe family_orcus C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe family_orcus C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe family_orcus -
Panda Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1352-96-0x0000000001340000-0x0000000001CE0000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1384-104-0x00000000004163C2-mapping.dmp family_redline behavioral1/memory/1384-103-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1384-107-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Orcurs Rat Executable 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1.v1mp.exe orcus C:\Users\Admin\AppData\Roaming\1.v1mp.exe orcus C:\Users\Admin\AppData\Roaming\1.v1mp.exe orcus C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe orcus C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe orcus C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe orcus -
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
Processes:
WintWare.exe1.v1mp.exebuild.vmp.sfx.exeHack.exebuild.vmp.exeWindowsInput.exeWindowsInput.exejavaUpdate.exejavaUpdate.exeSystem32.exeSystem32.exebuild2.exepid process 1496 WintWare.exe 1052 1.v1mp.exe 1800 build.vmp.sfx.exe 1724 Hack.exe 1352 build.vmp.exe 1636 WindowsInput.exe 1932 WindowsInput.exe 1148 javaUpdate.exe 1572 javaUpdate.exe 1732 System32.exe 1988 System32.exe 1808 build2.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1.v1mp.exe vmprotect C:\Users\Admin\AppData\Roaming\1.v1mp.exe vmprotect C:\Users\Admin\AppData\Roaming\1.v1mp.exe vmprotect \Users\Admin\AppData\Local\Temp\build.vmp.exe vmprotect C:\Users\Admin\AppData\Local\Temp\build.vmp.exe vmprotect C:\Users\Admin\AppData\Local\Temp\build.vmp.exe vmprotect \Users\Admin\AppData\Local\Temp\build.vmp.exe vmprotect \Users\Admin\AppData\Local\Temp\build.vmp.exe vmprotect \Users\Admin\AppData\Local\Temp\build.vmp.exe vmprotect behavioral1/memory/1352-96-0x0000000001340000-0x0000000001CE0000-memory.dmp vmprotect C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe vmprotect C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe vmprotect behavioral1/memory/1148-129-0x0000000000E90000-0x0000000000E91000-memory.dmp vmprotect C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe vmprotect -
Loads dropped DLL 12 IoCs
Processes:
polas.exeWintWare.exebuild.vmp.sfx.exeAddInProcess32.exepid process 480 polas.exe 480 polas.exe 480 polas.exe 1496 WintWare.exe 1496 WintWare.exe 1496 WintWare.exe 1496 WintWare.exe 1800 build.vmp.sfx.exe 1800 build.vmp.sfx.exe 1800 build.vmp.sfx.exe 1800 build.vmp.sfx.exe 1384 AddInProcess32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 icanhazip.com -
Drops file in System32 directory 3 IoCs
Processes:
1.v1mp.exeWindowsInput.exedescription ioc process File created C:\Windows\SysWOW64\WindowsInput.exe.config 1.v1mp.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.exe 1.v1mp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hack.exedescription pid process target process PID 1724 set thread context of 1384 1724 Hack.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WintWare.exe nsis_installer_2 -
Processes:
Hack.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Hack.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Hack.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
build.vmp.exeSystem32.exejavaUpdate.exeAddInProcess32.exebuild2.exepid process 1352 build.vmp.exe 1352 build.vmp.exe 1988 System32.exe 1988 System32.exe 1988 System32.exe 1148 javaUpdate.exe 1148 javaUpdate.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1384 AddInProcess32.exe 1384 AddInProcess32.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1808 build2.exe 1808 build2.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe 1988 System32.exe 1148 javaUpdate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 2000 dw20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Hack.exejavaUpdate.exeSystem32.exeSystem32.exeAddInProcess32.exebuild2.exedescription pid process Token: SeDebugPrivilege 1724 Hack.exe Token: SeDebugPrivilege 1148 javaUpdate.exe Token: SeDebugPrivilege 1732 System32.exe Token: SeDebugPrivilege 1988 System32.exe Token: SeDebugPrivilege 1384 AddInProcess32.exe Token: SeDebugPrivilege 1808 build2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
javaUpdate.exepid process 1148 javaUpdate.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
polas.exeWintWare.exebuild.vmp.sfx.exe1.v1mp.exeHack.execsc.exetaskeng.exejavaUpdate.exeSystem32.exeAddInProcess32.exebuild2.exedescription pid process target process PID 480 wrote to memory of 1496 480 polas.exe WintWare.exe PID 480 wrote to memory of 1496 480 polas.exe WintWare.exe PID 480 wrote to memory of 1496 480 polas.exe WintWare.exe PID 480 wrote to memory of 1496 480 polas.exe WintWare.exe PID 1496 wrote to memory of 1052 1496 WintWare.exe 1.v1mp.exe PID 1496 wrote to memory of 1052 1496 WintWare.exe 1.v1mp.exe PID 1496 wrote to memory of 1052 1496 WintWare.exe 1.v1mp.exe PID 1496 wrote to memory of 1052 1496 WintWare.exe 1.v1mp.exe PID 1496 wrote to memory of 1800 1496 WintWare.exe build.vmp.sfx.exe PID 1496 wrote to memory of 1800 1496 WintWare.exe build.vmp.sfx.exe PID 1496 wrote to memory of 1800 1496 WintWare.exe build.vmp.sfx.exe PID 1496 wrote to memory of 1800 1496 WintWare.exe build.vmp.sfx.exe PID 1496 wrote to memory of 1724 1496 WintWare.exe Hack.exe PID 1496 wrote to memory of 1724 1496 WintWare.exe Hack.exe PID 1496 wrote to memory of 1724 1496 WintWare.exe Hack.exe PID 1496 wrote to memory of 1724 1496 WintWare.exe Hack.exe PID 1800 wrote to memory of 1352 1800 build.vmp.sfx.exe build.vmp.exe PID 1800 wrote to memory of 1352 1800 build.vmp.sfx.exe build.vmp.exe PID 1800 wrote to memory of 1352 1800 build.vmp.sfx.exe build.vmp.exe PID 1800 wrote to memory of 1352 1800 build.vmp.sfx.exe build.vmp.exe PID 1052 wrote to memory of 632 1052 1.v1mp.exe csc.exe PID 1052 wrote to memory of 632 1052 1.v1mp.exe csc.exe PID 1052 wrote to memory of 632 1052 1.v1mp.exe csc.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 1724 wrote to memory of 1384 1724 Hack.exe AddInProcess32.exe PID 632 wrote to memory of 1828 632 csc.exe cvtres.exe PID 632 wrote to memory of 1828 632 csc.exe cvtres.exe PID 632 wrote to memory of 1828 632 csc.exe cvtres.exe PID 1052 wrote to memory of 1636 1052 1.v1mp.exe WindowsInput.exe PID 1052 wrote to memory of 1636 1052 1.v1mp.exe WindowsInput.exe PID 1052 wrote to memory of 1636 1052 1.v1mp.exe WindowsInput.exe PID 1052 wrote to memory of 1148 1052 1.v1mp.exe javaUpdate.exe PID 1052 wrote to memory of 1148 1052 1.v1mp.exe javaUpdate.exe PID 1052 wrote to memory of 1148 1052 1.v1mp.exe javaUpdate.exe PID 768 wrote to memory of 1572 768 taskeng.exe javaUpdate.exe PID 768 wrote to memory of 1572 768 taskeng.exe javaUpdate.exe PID 768 wrote to memory of 1572 768 taskeng.exe javaUpdate.exe PID 1148 wrote to memory of 1732 1148 javaUpdate.exe System32.exe PID 1148 wrote to memory of 1732 1148 javaUpdate.exe System32.exe PID 1148 wrote to memory of 1732 1148 javaUpdate.exe System32.exe PID 1148 wrote to memory of 1732 1148 javaUpdate.exe System32.exe PID 1732 wrote to memory of 1988 1732 System32.exe System32.exe PID 1732 wrote to memory of 1988 1732 System32.exe System32.exe PID 1732 wrote to memory of 1988 1732 System32.exe System32.exe PID 1732 wrote to memory of 1988 1732 System32.exe System32.exe PID 1384 wrote to memory of 1808 1384 AddInProcess32.exe build2.exe PID 1384 wrote to memory of 1808 1384 AddInProcess32.exe build2.exe PID 1384 wrote to memory of 1808 1384 AddInProcess32.exe build2.exe PID 1384 wrote to memory of 1808 1384 AddInProcess32.exe build2.exe PID 1808 wrote to memory of 2000 1808 build2.exe dw20.exe PID 1808 wrote to memory of 2000 1808 build2.exe dw20.exe PID 1808 wrote to memory of 2000 1808 build2.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\polas.exe"C:\Users\Admin\AppData\Local\Temp\polas.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WintWare.exe"C:\Users\Admin\AppData\Local\Temp\WintWare.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1.v1mp.exeC:\Users\Admin\AppData\Roaming\1.v1mp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vda8jauk.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2DB5.tmp"5⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe"C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32.exe"C:\Users\Admin\AppData\Roaming\System32.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe" 1148 /protectFile5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32.exe"C:\Users\Admin\AppData\Roaming\System32.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe" 1148 "/protectFile"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\build.vmp.sfx.exeC:\Users\Admin\AppData\Roaming\build.vmp.sfx.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.vmp.exe"C:\Users\Admin\AppData\Local\Temp\build.vmp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Hack.exeC:\Users\Admin\AppData\Roaming\Hack.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\build2.exe"C:\Users\Admin\AppData\Roaming\build2.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 9686⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {F87E10A2-F37D-4B6A-8940-6AE1D42ACBA9} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exeC:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES2DB6.tmpMD5
3d557a8a6f7b9595734f3086c8b120d9
SHA1860cacdfb2cd9d188e968eb2b83d939fa1fb37d8
SHA256737f9d9319833eb2c712539cfac99f44560b5832f25e625de0255db7409354cd
SHA51251719f7b503590964b8fc83916562d7b5b418dab731377af75d5f95c67f43c3bd6fbec478fe16cff820d84e5d932d903a01ad016e757c32cfa6e29970263bff7
-
C:\Users\Admin\AppData\Local\Temp\WintWare.exeMD5
b545ce3cd596324f4100eab6f6642625
SHA195f4a545fdaab30cd7ff60ef562a5d07972158ee
SHA256e041ab41f36aba75146b38b2505027efa65bfe3d71c374aa3373b580d766b1e3
SHA51213b604160a6da59dcf9e524685ff66397cef9a4dda7a597eae9143ba42f1223ffae2099c8678945fe52ffa834d6c633ace359574f5cf629cda2eb9bcacb33e5f
-
C:\Users\Admin\AppData\Local\Temp\WintWare.exeMD5
b545ce3cd596324f4100eab6f6642625
SHA195f4a545fdaab30cd7ff60ef562a5d07972158ee
SHA256e041ab41f36aba75146b38b2505027efa65bfe3d71c374aa3373b580d766b1e3
SHA51213b604160a6da59dcf9e524685ff66397cef9a4dda7a597eae9143ba42f1223ffae2099c8678945fe52ffa834d6c633ace359574f5cf629cda2eb9bcacb33e5f
-
C:\Users\Admin\AppData\Local\Temp\build.vmp.exeMD5
55f1627af32cd2882f9866aa1bf21839
SHA1626af5ffe55f799e14ad9d214fd745885601d2b4
SHA256e2681747279a664c595d720ccf75b699ce456351f8ca4203b498feed105358ec
SHA51247835a3140c71662f5728311c404166765397905a3152701d363725578d1aabfd9d6678a23540a5929363d5aa7d1ded4a1e4da0dfcbd6656c863aebf39f9a4af
-
C:\Users\Admin\AppData\Local\Temp\build.vmp.exeMD5
55f1627af32cd2882f9866aa1bf21839
SHA1626af5ffe55f799e14ad9d214fd745885601d2b4
SHA256e2681747279a664c595d720ccf75b699ce456351f8ca4203b498feed105358ec
SHA51247835a3140c71662f5728311c404166765397905a3152701d363725578d1aabfd9d6678a23540a5929363d5aa7d1ded4a1e4da0dfcbd6656c863aebf39f9a4af
-
C:\Users\Admin\AppData\Local\Temp\vda8jauk.dllMD5
9890f934d22381fae7476dbce32a2fd0
SHA1945506bc93215b64412d708758f98bef970bbb40
SHA256edeb0613e5ca1b57a5b64e0e2cdf5fe297c88f8c1a546b5847681108befaf75d
SHA512340d139a82e0ce72b70e3b7ca881a92cdd6d9676f9093d0b7b7d0f164d2d8e1f1fc0baefd49667a197cc63fab28caedd7959835b0e10ad1ececa619bb4be3c17
-
C:\Users\Admin\AppData\Roaming\1.v1mp.exeMD5
4aa398cdafba649dbd2b8cc829e711af
SHA15605c342351a286c7ef0dfa56251cee2f6ac3251
SHA2569ad6f4f2ed127d0d6f32df61fadb21f1f4a74965326a18c4a23c5a11806e0273
SHA512b6e5cfa5513bd04f76aab1f84b539c489967f87187abaf545b1ede13ed60332836efd3fc2760e67ac46035186f8e13765ce7885e81108ab19530ade9875419a6
-
C:\Users\Admin\AppData\Roaming\1.v1mp.exeMD5
4aa398cdafba649dbd2b8cc829e711af
SHA15605c342351a286c7ef0dfa56251cee2f6ac3251
SHA2569ad6f4f2ed127d0d6f32df61fadb21f1f4a74965326a18c4a23c5a11806e0273
SHA512b6e5cfa5513bd04f76aab1f84b539c489967f87187abaf545b1ede13ed60332836efd3fc2760e67ac46035186f8e13765ce7885e81108ab19530ade9875419a6
-
C:\Users\Admin\AppData\Roaming\Hack.exeMD5
d7520c2adaade897e6e36b078d50ec58
SHA1131661b674c6f9949875db5de666584333e5dea7
SHA2565df871425f33aa4886f316d37ac6ac7a97b9754e2f4925ebf3ce6a93eea86a9b
SHA512b101de26fd786ec0932934edabf5bf53695cd6ae58b2e7c68f0706f9c3fa5824226ebc55c41df939af85f12da81abfdc2afdfd205d79ef11cb71d0c621bd67e3
-
C:\Users\Admin\AppData\Roaming\Hack.exeMD5
d7520c2adaade897e6e36b078d50ec58
SHA1131661b674c6f9949875db5de666584333e5dea7
SHA2565df871425f33aa4886f316d37ac6ac7a97b9754e2f4925ebf3ce6a93eea86a9b
SHA512b101de26fd786ec0932934edabf5bf53695cd6ae58b2e7c68f0706f9c3fa5824226ebc55c41df939af85f12da81abfdc2afdfd205d79ef11cb71d0c621bd67e3
-
C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exeMD5
4aa398cdafba649dbd2b8cc829e711af
SHA15605c342351a286c7ef0dfa56251cee2f6ac3251
SHA2569ad6f4f2ed127d0d6f32df61fadb21f1f4a74965326a18c4a23c5a11806e0273
SHA512b6e5cfa5513bd04f76aab1f84b539c489967f87187abaf545b1ede13ed60332836efd3fc2760e67ac46035186f8e13765ce7885e81108ab19530ade9875419a6
-
C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exeMD5
4aa398cdafba649dbd2b8cc829e711af
SHA15605c342351a286c7ef0dfa56251cee2f6ac3251
SHA2569ad6f4f2ed127d0d6f32df61fadb21f1f4a74965326a18c4a23c5a11806e0273
SHA512b6e5cfa5513bd04f76aab1f84b539c489967f87187abaf545b1ede13ed60332836efd3fc2760e67ac46035186f8e13765ce7885e81108ab19530ade9875419a6
-
C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exeMD5
4aa398cdafba649dbd2b8cc829e711af
SHA15605c342351a286c7ef0dfa56251cee2f6ac3251
SHA2569ad6f4f2ed127d0d6f32df61fadb21f1f4a74965326a18c4a23c5a11806e0273
SHA512b6e5cfa5513bd04f76aab1f84b539c489967f87187abaf545b1ede13ed60332836efd3fc2760e67ac46035186f8e13765ce7885e81108ab19530ade9875419a6
-
C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe.configMD5
a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
C:\Users\Admin\AppData\Roaming\System32.exeMD5
913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
C:\Users\Admin\AppData\Roaming\System32.exeMD5
913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
C:\Users\Admin\AppData\Roaming\System32.exeMD5
913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
C:\Users\Admin\AppData\Roaming\System32.exe.configMD5
a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
C:\Users\Admin\AppData\Roaming\build.vmp.sfx.exeMD5
7453d935f4be96df9160a2876f7bb404
SHA16b14dcd4625341e0eba4bca2272afc22635b50c3
SHA256b6a8ef6c65129718e0a06aadec82b3450b5ad1e5af40e205a6d22a3e00e9030c
SHA5124c7be45ce918df0d8c284c16a264c10293ba3991c90026d8578394dcb40e0e1df34845800125430795d52dafce865b9f85ae7226eae0b078ff05b68ee85aa3ef
-
C:\Users\Admin\AppData\Roaming\build.vmp.sfx.exeMD5
7453d935f4be96df9160a2876f7bb404
SHA16b14dcd4625341e0eba4bca2272afc22635b50c3
SHA256b6a8ef6c65129718e0a06aadec82b3450b5ad1e5af40e205a6d22a3e00e9030c
SHA5124c7be45ce918df0d8c284c16a264c10293ba3991c90026d8578394dcb40e0e1df34845800125430795d52dafce865b9f85ae7226eae0b078ff05b68ee85aa3ef
-
C:\Users\Admin\AppData\Roaming\build2.exeMD5
5557511e404b7e0a1ae92a020140810c
SHA15faa351cea11456c7db9e90da00b9cd3fa6fd6e0
SHA25671be5762b5ee502c584f62c30140e3d2716d3773ef11b7a0272d414e0fe09175
SHA512d1b028dc86fbf568ad2fa2efca01148b74dbc89586522da13947cf323a2a7615f52f20f8fb4a36f293b019525b711aa62d6b68a6f82d53686ab6139733cfecbf
-
C:\Users\Admin\AppData\Roaming\build2.exeMD5
5557511e404b7e0a1ae92a020140810c
SHA15faa351cea11456c7db9e90da00b9cd3fa6fd6e0
SHA25671be5762b5ee502c584f62c30140e3d2716d3773ef11b7a0272d414e0fe09175
SHA512d1b028dc86fbf568ad2fa2efca01148b74dbc89586522da13947cf323a2a7615f52f20f8fb4a36f293b019525b711aa62d6b68a6f82d53686ab6139733cfecbf
-
C:\Windows\SysWOW64\WindowsInput.exeMD5
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exeMD5
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exeMD5
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exe.configMD5
a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC2DB5.tmpMD5
6809cece963727c5d6289729ea00ca84
SHA1d6bf471e9ca7d5480e93b702ebee13d283f7a64e
SHA256b5ecf2bbdf317429a0c653f6050209003b4eb2f71357563922eca5842f6ce67b
SHA512a62d9e4e31e0fc610becfd18b322a831c6f55014308fa9dd6eb2d2c0e46d58d8fbfc646a57b9558abca311c705aafc8e2d55f0f3d3e3581018423a0ed0dd684a
-
\??\c:\Users\Admin\AppData\Local\Temp\vda8jauk.0.csMD5
bf5cd11bdde171083ee1e20efa2ef9a7
SHA117455b3bb6758a19e45f90c3068eeec5dc6f72c9
SHA256c826f68fdc48734c9fe39e4d24c74d4b6521600a0f220919a573523467339416
SHA5126cc02d2b4b289ea71fe7af7c4db2d15d8b696c5681357ab5231f4c9a414ba1ed88ee7b79247716804a46d7b445168390dc91f16e64872f2cdc32c3e159ffe0aa
-
\??\c:\Users\Admin\AppData\Local\Temp\vda8jauk.cmdlineMD5
1237f2e025740ba4e6686799884c9193
SHA1f47589e3491ea77d4717e210dab6787422e06d3c
SHA256c0cf8afaccf304d05fcf322ef666f2799072b036912845cca6309d2edf265412
SHA512aa2a33798653cbaaaa8ed9ee28c62d99afdac5bbc04fa485256166199e5db652e76c807f72772e33216176a19c1404e5993b01abfd9f99522461a3cabf20c7fb
-
\Users\Admin\AppData\Local\Temp\WintWare.exeMD5
b545ce3cd596324f4100eab6f6642625
SHA195f4a545fdaab30cd7ff60ef562a5d07972158ee
SHA256e041ab41f36aba75146b38b2505027efa65bfe3d71c374aa3373b580d766b1e3
SHA51213b604160a6da59dcf9e524685ff66397cef9a4dda7a597eae9143ba42f1223ffae2099c8678945fe52ffa834d6c633ace359574f5cf629cda2eb9bcacb33e5f
-
\Users\Admin\AppData\Local\Temp\WintWare.exeMD5
b545ce3cd596324f4100eab6f6642625
SHA195f4a545fdaab30cd7ff60ef562a5d07972158ee
SHA256e041ab41f36aba75146b38b2505027efa65bfe3d71c374aa3373b580d766b1e3
SHA51213b604160a6da59dcf9e524685ff66397cef9a4dda7a597eae9143ba42f1223ffae2099c8678945fe52ffa834d6c633ace359574f5cf629cda2eb9bcacb33e5f
-
\Users\Admin\AppData\Local\Temp\WintWare.exeMD5
b545ce3cd596324f4100eab6f6642625
SHA195f4a545fdaab30cd7ff60ef562a5d07972158ee
SHA256e041ab41f36aba75146b38b2505027efa65bfe3d71c374aa3373b580d766b1e3
SHA51213b604160a6da59dcf9e524685ff66397cef9a4dda7a597eae9143ba42f1223ffae2099c8678945fe52ffa834d6c633ace359574f5cf629cda2eb9bcacb33e5f
-
\Users\Admin\AppData\Local\Temp\build.vmp.exeMD5
55f1627af32cd2882f9866aa1bf21839
SHA1626af5ffe55f799e14ad9d214fd745885601d2b4
SHA256e2681747279a664c595d720ccf75b699ce456351f8ca4203b498feed105358ec
SHA51247835a3140c71662f5728311c404166765397905a3152701d363725578d1aabfd9d6678a23540a5929363d5aa7d1ded4a1e4da0dfcbd6656c863aebf39f9a4af
-
\Users\Admin\AppData\Local\Temp\build.vmp.exeMD5
55f1627af32cd2882f9866aa1bf21839
SHA1626af5ffe55f799e14ad9d214fd745885601d2b4
SHA256e2681747279a664c595d720ccf75b699ce456351f8ca4203b498feed105358ec
SHA51247835a3140c71662f5728311c404166765397905a3152701d363725578d1aabfd9d6678a23540a5929363d5aa7d1ded4a1e4da0dfcbd6656c863aebf39f9a4af
-
\Users\Admin\AppData\Local\Temp\build.vmp.exeMD5
55f1627af32cd2882f9866aa1bf21839
SHA1626af5ffe55f799e14ad9d214fd745885601d2b4
SHA256e2681747279a664c595d720ccf75b699ce456351f8ca4203b498feed105358ec
SHA51247835a3140c71662f5728311c404166765397905a3152701d363725578d1aabfd9d6678a23540a5929363d5aa7d1ded4a1e4da0dfcbd6656c863aebf39f9a4af
-
\Users\Admin\AppData\Local\Temp\build.vmp.exeMD5
55f1627af32cd2882f9866aa1bf21839
SHA1626af5ffe55f799e14ad9d214fd745885601d2b4
SHA256e2681747279a664c595d720ccf75b699ce456351f8ca4203b498feed105358ec
SHA51247835a3140c71662f5728311c404166765397905a3152701d363725578d1aabfd9d6678a23540a5929363d5aa7d1ded4a1e4da0dfcbd6656c863aebf39f9a4af
-
\Users\Admin\AppData\Roaming\1.v1mp.exeMD5
4aa398cdafba649dbd2b8cc829e711af
SHA15605c342351a286c7ef0dfa56251cee2f6ac3251
SHA2569ad6f4f2ed127d0d6f32df61fadb21f1f4a74965326a18c4a23c5a11806e0273
SHA512b6e5cfa5513bd04f76aab1f84b539c489967f87187abaf545b1ede13ed60332836efd3fc2760e67ac46035186f8e13765ce7885e81108ab19530ade9875419a6
-
\Users\Admin\AppData\Roaming\Hack.exeMD5
d7520c2adaade897e6e36b078d50ec58
SHA1131661b674c6f9949875db5de666584333e5dea7
SHA2565df871425f33aa4886f316d37ac6ac7a97b9754e2f4925ebf3ce6a93eea86a9b
SHA512b101de26fd786ec0932934edabf5bf53695cd6ae58b2e7c68f0706f9c3fa5824226ebc55c41df939af85f12da81abfdc2afdfd205d79ef11cb71d0c621bd67e3
-
\Users\Admin\AppData\Roaming\Hack.exeMD5
d7520c2adaade897e6e36b078d50ec58
SHA1131661b674c6f9949875db5de666584333e5dea7
SHA2565df871425f33aa4886f316d37ac6ac7a97b9754e2f4925ebf3ce6a93eea86a9b
SHA512b101de26fd786ec0932934edabf5bf53695cd6ae58b2e7c68f0706f9c3fa5824226ebc55c41df939af85f12da81abfdc2afdfd205d79ef11cb71d0c621bd67e3
-
\Users\Admin\AppData\Roaming\build.vmp.sfx.exeMD5
7453d935f4be96df9160a2876f7bb404
SHA16b14dcd4625341e0eba4bca2272afc22635b50c3
SHA256b6a8ef6c65129718e0a06aadec82b3450b5ad1e5af40e205a6d22a3e00e9030c
SHA5124c7be45ce918df0d8c284c16a264c10293ba3991c90026d8578394dcb40e0e1df34845800125430795d52dafce865b9f85ae7226eae0b078ff05b68ee85aa3ef
-
\Users\Admin\AppData\Roaming\build2.exeMD5
5557511e404b7e0a1ae92a020140810c
SHA15faa351cea11456c7db9e90da00b9cd3fa6fd6e0
SHA25671be5762b5ee502c584f62c30140e3d2716d3773ef11b7a0272d414e0fe09175
SHA512d1b028dc86fbf568ad2fa2efca01148b74dbc89586522da13947cf323a2a7615f52f20f8fb4a36f293b019525b711aa62d6b68a6f82d53686ab6139733cfecbf
-
memory/480-59-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/632-100-0x0000000000000000-mapping.dmp
-
memory/632-113-0x0000000000700000-0x0000000000702000-memory.dmpFilesize
8KB
-
memory/1052-68-0x0000000000000000-mapping.dmp
-
memory/1052-90-0x0000000002250000-0x0000000002252000-memory.dmpFilesize
8KB
-
memory/1052-99-0x000007FEF2B00000-0x000007FEF3B96000-memory.dmpFilesize
16.6MB
-
memory/1148-125-0x0000000000000000-mapping.dmp
-
memory/1148-129-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/1148-138-0x0000000000B60000-0x0000000000B6C000-memory.dmpFilesize
48KB
-
memory/1148-155-0x000000001B818000-0x000000001B837000-memory.dmpFilesize
124KB
-
memory/1148-154-0x000000001B812000-0x000000001B814000-memory.dmpFilesize
8KB
-
memory/1148-136-0x0000000000390000-0x00000000003D8000-memory.dmpFilesize
288KB
-
memory/1148-135-0x0000000000180000-0x0000000000190000-memory.dmpFilesize
64KB
-
memory/1148-137-0x0000000000B30000-0x0000000000B45000-memory.dmpFilesize
84KB
-
memory/1148-134-0x000000001B810000-0x000000001B812000-memory.dmpFilesize
8KB
-
memory/1148-133-0x0000000000140000-0x000000000014C000-memory.dmpFilesize
48KB
-
memory/1148-132-0x0000000000AC0000-0x0000000000B1A000-memory.dmpFilesize
360KB
-
memory/1352-89-0x0000000000000000-mapping.dmp
-
memory/1352-96-0x0000000001340000-0x0000000001CE0000-memory.dmpFilesize
9.6MB
-
memory/1352-94-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1384-107-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1384-114-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1384-104-0x00000000004163C2-mapping.dmp
-
memory/1384-103-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1496-63-0x0000000000000000-mapping.dmp
-
memory/1572-139-0x0000000000000000-mapping.dmp
-
memory/1572-159-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/1636-111-0x0000000000000000-mapping.dmp
-
memory/1636-117-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/1636-123-0x000000001A7D0000-0x000000001A7D2000-memory.dmpFilesize
8KB
-
memory/1724-84-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/1724-76-0x0000000000000000-mapping.dmp
-
memory/1724-81-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/1724-93-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1732-143-0x0000000000000000-mapping.dmp
-
memory/1732-147-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1800-72-0x0000000000000000-mapping.dmp
-
memory/1808-161-0x0000000000000000-mapping.dmp
-
memory/1808-164-0x0000000000A90000-0x0000000000A92000-memory.dmpFilesize
8KB
-
memory/1828-105-0x0000000000000000-mapping.dmp
-
memory/1932-124-0x0000000019860000-0x0000000019862000-memory.dmpFilesize
8KB
-
memory/1988-150-0x0000000000000000-mapping.dmp
-
memory/2000-165-0x0000000000000000-mapping.dmp
-
memory/2000-166-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmpFilesize
8KB
-
memory/2000-167-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB