Analysis
-
max time kernel
793s -
max time network
795s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-es -
resource tags
-
submitted
19-03-2023 14:14
General
-
Target
Git2.zip
-
Size
7.3MB
-
MD5
35c1fb32c93adc5498e2e29bf7af4680
-
SHA1
a195535fa854f186a0fe1d74de24c26f110a5d44
-
SHA256
2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68
-
SHA512
01c5a153e146272cad71207cb871e9de19d36f630329b9b5546f98257ea054d89b9b6e0a3669a86a5b4f67c8508061f010f0841d980f141423374b031f88c67f
-
SSDEEP
98304:h6Y2jb5ZT5CH0uzEDaLaBD0iH5n37cfrOHOFxFE2hhAOSBXcPZWPvb:B2xZ1e32N0iHFiTFEQA7DPT
Malware Config
Extracted
laplas
http://185.174.137.94
-
api_key
b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
XMRig Miner payload 12 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 14 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks for any installed AV software in registry 1 TTPs 16 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 29 IoCs
-
Drops file in Windows directory 39 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Modifies registry class 16 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of FindShellTrayWindow 19 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Git2.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Git2\" -spe -an -ai#7zMap22809:66:7zEvent64221⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exe"C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exe"C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Git2\sdfsdfs.exe"C:\Users\Admin\Desktop\Git2\sdfsdfs.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEYAeQBvAGcATwB1ADgATwBPAEcANABHAGQAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAUQA4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEgAaABtAHQAZQBGAGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBBAHUASwB2AGUAOAA4AFoATgBRADEARwAjAD4A"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEYAeQBvAGcATwB1ADgATwBPAEcANABHAGQAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAUQA4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEgAaABtAHQAZQBGAGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBBAHUASwB2AGUAOAA4AFoATgBRADEARwAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json4⤵
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Dllhost\winlogson.exeC:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo К7фшрЩ7РE2 & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo TpбPmBгешИCPЯ3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo ЬUМ8гЩRфбЩЕЕцШфl & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo КпДзCг08О3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAE0ENgQcBBcERgAzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMALQRNAD4EFgQyAHEAOgQXBEQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADAAMgAZBEEESAAlBCMAPgAgAEAAKAAgADwAIwA5BGwATwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAMAAXBBwEbwBEBFMASwB2ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAmBEMAMQBlAGQAMgQ/BFMAMgRBBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAJgROBCsEJQQeBDQEWQAqBCMAPgA="3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAE0ENgQcBBcERgAzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMALQRNAD4EFgQyAHEAOgQXBEQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADAAMgAZBEEESAAlBCMAPgAgAEAAKAAgADwAIwA5BGwATwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAMAAXBBwEbwBEBFMASwB2ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAmBEMAMQBlAGQAMgQ/BFMAMgRBBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAJgROBCsEJQQeBDQEWQAqBCMAPgA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo I0АCVDм & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Ъъъ7АшМДGHfХiЪЮgIGл3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo ФЦRSwЪНQwВKэЪ8дЗООL & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo лwlWнЭ3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo JтчOШБNvwш & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo щzXф9ХwуадьЕKнБoВF3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAGUASAA5BC4EOAB2AGwAMQAWBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABGABoEFwQ1AFIAQwQ2BC4ETgAaBGEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFEAZAAZBFYAIQQ2BDAAJwRNBGIAcAAwBC8EIwA+ACAAQAAoACAAPAAjAHIARQBaABMEOQBKAHEAYwBCACYEaAAaBDgAEgRlACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwApBEwEZAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdQAYBDEEHQRyACMERgQqBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEQAOwR6ADUEUwBWADAASgQjAD4A"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUASAA5BC4EOAB2AGwAMQAWBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABGABoEFwQ1AFIAQwQ2BC4ETgAaBGEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFEAZAAZBFYAIQQ2BDAAJwRNBGIAcAAwBC8EIwA+ACAAQAAoACAAPAAjAHIARQBaABMEOQBKAHEAYwBCACYEaAAaBDgAEgRlACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwApBEwEZAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdQAYBDEEHQRyACMERgQqBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEQAOwR6ADUEUwBWADAASgQjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAHkARQARBGEAOQAjBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMASQAWBDgEMAAnBFgAWAA2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAlBDQEWABKBHkAQQRBAEwEQwQ5BEoAIwA+ACAAQAAoACAAPAAjAHgAOQAdBD4EFQQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAPwQ7BHkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAHIATARKBCAEFgR6ABQEdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA1BB8ERAAlBFYAQQRuAHAAIwA+AA=="3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHkARQARBGEAOQAjBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMASQAWBDgEMAAnBFgAWAA2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAlBDQEWABKBHkAQQRBAEwEQwQ5BEoAIwA+ACAAQAAoACAAPAAjAHgAOQAdBD4EFQQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAPwQ7BHkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAHIATARKBCAEFgR6ABQEdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA1BB8ERAAlBFYAQQRuAHAAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjADYAOgRCBHIAOAQxBCwETQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEsATQQ4BFUAZQA/BCQEIgRmAFIAaAA1BHIAMAArBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBUACoETwBKACAEIwA+ACAAQAAoACAAPAAjAFMAOgRxAGcAMARTAHoAMgRqAHMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEwENwA2ABcEHgR4ADkEQAQ5AGMAdAAlBBYEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAG4AEgQtBFIAHgQ0BCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsARwQjAD4A"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjADYAOgRCBHIAOAQxBCwETQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEsATQQ4BFUAZQA/BCQEIgRmAFIAaAA1BHIAMAArBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBUACoETwBKACAEIwA+ACAAQAAoACAAPAAjAFMAOgRxAGcAMARTAHoAMgRqAHMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEwENwA2ABcEHgR4ADkEQAQ5AGMAdAAlBBYEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAG4AEgQtBFIAHgQ0BCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsARwQjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAFAAdABvAGsARgQ5AE8EEwQqBBoERAA0BDIEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AGEAQgQ2BDQEQQAaBCAEWQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMQA0BGoAbgBLADwEPAQgBFEAEwQxAGkAIwA+ACAAQAAoACAAPAAjACEEOgRwACEESAQjBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBOAFQAdAB4ADQEJQR3ABEEGQQ/BGgANAAmBFIAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACsEWgBFBEMEcgBpAFIATwAoBHEAcQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAjBHIAPQRIAEMAcAA4ADYAaABGBCAEIwA+AA=="3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAFAAdABvAGsARgQ5AE8EEwQqBBoERAA0BDIEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AGEAQgQ2BDQEQQAaBCAEWQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMQA0BGoAbgBLADwEPAQgBFEAEwQxAGkAIwA+ACAAQAAoACAAPAAjACEEOgRwACEESAQjBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBOAFQAdAB4ADQEJQR3ABEEGQQ/BGgANAAmBFIAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACsEWgBFBEMEcgBpAFIATwAoBHEAcQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAjBHIAPQRIAEMAcAA4ADYAaABGBCAEIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo HBСFфСЦDЗWЯxсГфЯЧл & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo RLlpщижш9ЗСuшС3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo kVЕзxЪюхКмшфЯnТKв & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЕшхЮFCЫеJFЙХгЮл3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo zRdщшsжer & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 5зd0шщgVфRмрty3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo 9hcNBbpШiS & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЙуЖVTrFМТfСFэт3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1088 -ip 10881⤵
-
C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exe"C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/alxhlILI#hZ7PSegQ73pZinlqDi3_fdSbyn1s0irbAj6TPTlFRPY2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8aff646f8,0x7ff8aff64708,0x7ff8aff647183⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6451b5460,0x7ff6451b5470,0x7ff6451b54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --lang=es --service-sandbox-type=audio --mojo-platform-channel-handle=5904 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4778232588168988688,11435412738940406975,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/asRkjRSD#KOFfqwwIUHDAYQF7I_jmk7VP7MHdMnC6CpfjbOvffcs2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8aff646f8,0x7ff8aff64708,0x7ff8aff647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/asRkjRSD#KOFfqwwIUHDAYQF7I_jmk7VP7MHdMnC6CpfjbOvffcs2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8aff646f8,0x7ff8aff64708,0x7ff8aff647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=audio --mojo-platform-channel-handle=4936 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2271000048878880829,3277211938889363448,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:23⤵
-
C:\Users\Admin\Desktop\Git2\sdfsdfs.exe"C:\Users\Admin\Desktop\Git2\sdfsdfs.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4752 -ip 47521⤵
-
C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exe"C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\ProgramData\Dllhost\dllhost.exeC:\ProgramData\Dllhost\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\CCleaner_v5.84.9126.exe"C:\Users\Admin\Desktop\CCleaner_v5.84.9126.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-RH3JN.tmp\CCleaner_v5.84.9126.tmp"C:\Users\Admin\AppData\Local\Temp\is-RH3JN.tmp\CCleaner_v5.84.9126.tmp" /SL5="$40430,24999940,166912,C:\Users\Admin\Desktop\CCleaner_v5.84.9126.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\CCleaner\CCleaner64.exe"C:\Program Files\CCleaner\CCleaner64.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\CCleaner\CCleaner64.exe"C:\Program Files\CCleaner\CCleaner64.exe" /monitor4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\ProgramData\Dllhost\dllhost.exeC:\ProgramData\Dllhost\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\CCleaner\CCEnhancer.exeFilesize
835KB
MD5928cb9009e248e648280270255d6d44b
SHA15ff1b16d9da12d5325a8169ee1d7a770e62d660a
SHA2564d025fad652ec6b890883f64e617f1e5dccfbff0dc857631695c6cf4315c1c23
SHA512e0a1e4e667d71853dca434309d48beeb1d2a04f89c7c8bfc94f7a8c8f1cc3ba948f78e06ab6dea9aaeb1fdc3d6f40840de31bf5e4032907698f68f120bcb24e2
-
C:\Program Files\CCleaner\CCleaner64.exeFilesize
33.5MB
MD5a49ac7fd0a2ab6427d59d3cf2995792c
SHA1cae8707bdf112a5684ed50991221d66453765c31
SHA2568645ddc0cf3099ad0928a69a576c69639facb481568962adb6aea4c197febbc7
SHA512eef787d1d26676511113ccc1f545f0840d635e27ad582bcc7c9c09240e523577246900ca5da2f4c41c7638c662807f09f2efee2575371a15b37eaa6acfb6af6a
-
C:\Program Files\CCleaner\gcapi_dll.dllFilesize
740KB
MD5f17f96322f8741fe86699963a1812897
SHA1a8433cab1deb9c128c745057a809b42110001f55
SHA2568b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb
SHA512f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9
-
C:\ProgramData\Dllhost\dllhost.exeFilesize
62KB
MD5e72d497c94bb1ed882ac98931f70e82e
SHA185c2c44e4addbdde87b49b33e252772126f9544e
SHA256d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443
SHA51278c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e
-
C:\ProgramData\Dllhost\dllhost.exeFilesize
62KB
MD5e72d497c94bb1ed882ac98931f70e82e
SHA185c2c44e4addbdde87b49b33e252772126f9544e
SHA256d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443
SHA51278c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e
-
C:\ProgramData\Dllhost\winlogson.exeFilesize
7.8MB
MD55385a40c6af4c73f43cfa5de46b9f05a
SHA1aec914b73e3c7b4efe0971d1a87e62de2b0776a4
SHA25621bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995
SHA5122273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7
-
C:\ProgramData\Dllhost\winlogson.exeFilesize
7.8MB
MD55385a40c6af4c73f43cfa5de46b9f05a
SHA1aec914b73e3c7b4efe0971d1a87e62de2b0776a4
SHA25621bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995
SHA5122273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7
-
C:\ProgramData\HostData\config.jsonFilesize
319B
MD5c5f8798ae874128f672a5530896be6c8
SHA1af8ea8134104bd02b44e9ba22cd0aec237274803
SHA2569f39bae97cbc0a943def6b6b954a57c45e938648b506a3b9196684cdbbb53a78
SHA5127f01c1aab052614e921974ccfcfacdc15afac8a0660cb89790233480eb9e64a0f0aa6fd3495e20708e54569456a83b8b70716e49fbb20d15d3227c11502f32fa
-
C:\ProgramData\HostData\config.jsonFilesize
319B
MD5c5f8798ae874128f672a5530896be6c8
SHA1af8ea8134104bd02b44e9ba22cd0aec237274803
SHA2569f39bae97cbc0a943def6b6b954a57c45e938648b506a3b9196684cdbbb53a78
SHA5127f01c1aab052614e921974ccfcfacdc15afac8a0660cb89790233480eb9e64a0f0aa6fd3495e20708e54569456a83b8b70716e49fbb20d15d3227c11502f32fa
-
C:\ProgramData\HostData\logs.uceFilesize
343B
MD5761fee773ec1e1eb396eddddeb321865
SHA1f969e9da9e90a5aef00730b8e1c3763ba2ac46c5
SHA25682273f8e42cee630011c8e931351186391c4ca9e126e5921db275564e1ef7fbb
SHA5123f648b7c88b1e0195acad5ad194b59f5de8f2bf9179b2cc330d7ef1a028d48141541545b2354137a2ab0105e92fb75d9e0e11c9250ee1bcb7a4f472de3637a5d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadataFilesize
284B
MD5ee7c9af9870700ed9fd4d2391ea1ced7
SHA132002630eddac6f5397fd42e5b8e5961d618847a
SHA256ca86b0ab3dc7a9895a21abd65dc154945128283ae358a9eb077a274799cff591
SHA5125b8f61fb66f3f8b7d853c268fd7665772608ca99ae6603abf0668e3bfc64605af573077111aa89630f77124ae09b0538586fb56f9c6a019dbe444474e5d71e69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadataFilesize
284B
MD5ee7c9af9870700ed9fd4d2391ea1ced7
SHA132002630eddac6f5397fd42e5b8e5961d618847a
SHA256ca86b0ab3dc7a9895a21abd65dc154945128283ae358a9eb077a274799cff591
SHA5125b8f61fb66f3f8b7d853c268fd7665772608ca99ae6603abf0668e3bfc64605af573077111aa89630f77124ae09b0538586fb56f9c6a019dbe444474e5d71e69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6e172ff6-3de9-48a0-888e-8f96a4847b99.dmpFilesize
6.7MB
MD5b5212f754ca25444331333b926bc3af9
SHA1d7583655dca3c0242cad7dbff7af202fcdf6cede
SHA25631b4bb1596648bb6d5e84d089a61ffaf724d3ae9ee964a3f03a0010a44a0ebb4
SHA5129ddbc4f3c4906816c8d17f382fc152051594e13e55f1be145c37b9e14aa22a34ba57b669cda5556d8c7b57e3b537d419989f5de23fb742e4bf440b859626cbf8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6e172ff6-3de9-48a0-888e-8f96a4847b99.dmpFilesize
6.7MB
MD5b5212f754ca25444331333b926bc3af9
SHA1d7583655dca3c0242cad7dbff7af202fcdf6cede
SHA25631b4bb1596648bb6d5e84d089a61ffaf724d3ae9ee964a3f03a0010a44a0ebb4
SHA5129ddbc4f3c4906816c8d17f382fc152051594e13e55f1be145c37b9e14aa22a34ba57b669cda5556d8c7b57e3b537d419989f5de23fb742e4bf440b859626cbf8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\756bdfc8-2c15-466a-8a7e-2856fec5e9c4.dmpFilesize
1010KB
MD547e0e2b3673524932b4922680922f11e
SHA1a591e2429242193a88f922678c51f32634faf4df
SHA256bc955d92086859d45e1fbe312ff32daadcc83ad7e2fc13d91af7ab53a95389a8
SHA512dce8501910d87b354a0a1ab3c122acd4b0e7745aa71f47f3e661035db0b5be65bad8e3ca923cd43f2b1446fbcc118f563e63a393273cd825ca7e7204430eac4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\756bdfc8-2c15-466a-8a7e-2856fec5e9c4.dmpFilesize
1010KB
MD547e0e2b3673524932b4922680922f11e
SHA1a591e2429242193a88f922678c51f32634faf4df
SHA256bc955d92086859d45e1fbe312ff32daadcc83ad7e2fc13d91af7ab53a95389a8
SHA512dce8501910d87b354a0a1ab3c122acd4b0e7745aa71f47f3e661035db0b5be65bad8e3ca923cd43f2b1446fbcc118f563e63a393273cd825ca7e7204430eac4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5196fa921735300b51d03766ab8e7e07c
SHA1571fd8ae5598791c5fa08d00973ba036ad8cba53
SHA2567e240871aa850369ec8da866995ba7d802263a4814248c78b95e4ece7aeae716
SHA51267dc11e95501be16fb10c317ab0d62c533fa1ecd789edb532b5db1cc56248b95270dbd8f3292565be976d4f391ea304d3ae31ad07edd30037f97732318de1bb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5196fa921735300b51d03766ab8e7e07c
SHA1571fd8ae5598791c5fa08d00973ba036ad8cba53
SHA2567e240871aa850369ec8da866995ba7d802263a4814248c78b95e4ece7aeae716
SHA51267dc11e95501be16fb10c317ab0d62c533fa1ecd789edb532b5db1cc56248b95270dbd8f3292565be976d4f391ea304d3ae31ad07edd30037f97732318de1bb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD508e094dfd7ed3dae92cb40334456af97
SHA1e94210bc1341872b1dd62db592a525f2edc3b07a
SHA256147ba8f618afb0c5732c8cff18d630967b144e87e82bff55f3cefb33934d2269
SHA512412f46e076b10ea046a57fec50a47892f4fe20f91363941a220c03ed9f9d21d88a082537aa16129b02c470ab91fbad835e2b2404f87078ccac441b5cdb11b628
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59e70fff5ed988a6fcc82427a6d972720
SHA1bf8d459c2dd55ec74718866e824b7f6cbb34607e
SHA2566c5cd175847f6a13e9bb7b0e8c4a81497229d3010e9f7a5845f9f67da6a0ae41
SHA512a26150b23ef562906fc51c8826a66b936b7e0be10139113a1098d4a04b449b955dbc6fdedaca17f3886f4f18b4ac595831e31f536fdfe0391630f30cf1e8508f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fa6da26ebdcf1f199a11dcead131172d
SHA12ff968f65519a44852ca77ca478cdce136b39283
SHA256f62b4047c07984d2719728a89c4dc38e7e52f32e9acd041e7ccc3e23ac59037f
SHA512a610e45581a2aa378aaf4b7a6c1e39ecf96af952f28424837c2b37a2248c0b95dc54160eb765aeafb314cd9c68100bab74b318bc0d5327cc9efd69fe5c9a7475
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3a195de8-73ce-41f1-8a61-81e816888e3c.tmpFilesize
4KB
MD57964dd954d7d25eb3581f058424bb136
SHA1f85a0c9f14d8821c098839b47016b463258194a8
SHA25691f0b45fa9ed61d9205b88d1c090ff38fdeba6945e8db85573cea03364756187
SHA512d882437bbb298b04d0e463c36565af6fa81f0ad0cc74b06d6f52779d552287965c9f61b60e082d2aff446cde4589d8d00e85e93adc1167741a90cf55adf02c06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD59ba7c3c23079df281ce7069e115358e2
SHA177cf7012304112ebcc360d3b10c4045e8cbfc3ba
SHA256375ea8e2fb0b8e25c0cb461fea5d888b7610532a3951d8cdae2639165b93c66f
SHA512586100fe49b3440c47830ff007f68faf2ddfe2481802a3dfae5657a7ffeebd65dfccd2a8cf411ea02b7ac61cb4416532d1cb9cedae5d3d9d19052c9b08e0768e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5772274fd0fc3363ac53fd3151229d161
SHA1a23282e02217aa843fd414b5da3731955eb041c6
SHA256cc2395addec049a67afc823b819b46cdf780605a1c2d036eec24589b16ac1f02
SHA512b644025dc8ce64fa837597c617a63654c6d0969905e84d5ac737b7bb2237996f9e2c0794f3a52a97a686e30ac53e2389a8c3a511d90b3b8225329aca48c75a77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5a98173ca45f0b1567a02ef8ca314c61a
SHA14761ba74f8b4b6a01071cc12caeebb9e9bec01a3
SHA2564baaa74c3e5154a00c6561476a6c9eb231c1e36d8556c41fc588d598a51ad364
SHA512bd65e497009f93b79743ed665467eddff0e9677183f406e216f5f00fb1ec8982de8a7ca6543791108ffa33389f636288ad96625980e5378d82e5d77ea72e9afc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5ce91f.TMPFilesize
72B
MD51dd24b3ffb0cd5bc2d1a86830d4f004b
SHA14305e98892bd188b9e2576b9b332011c64ae10d7
SHA2560ce601a4ec083852c63ec35738ac0a963c31f0ee70ac9c3a197db6eec5babe2a
SHA5129640c683e22067a237037b669a3a214d5478bf4e790c20e0f9216aba4ef6305533b08d8979cbca2bc67e167483c7114ebc34257a051d6777477feea423fae71b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
20KB
MD51fda7ea3dd3d6ed6dda6c4b5188a9a84
SHA1ec48a2209d8a8397d904d12079e9170a42f39caa
SHA2561086c6f85554b44df386216aeaa369e2b63e4e0bf47538c7de1483907ff585a1
SHA512d73008dda103cda5faf8bfce42117e2f0d874fab737a0660e838080798b280dd5afa603b577346736d6a060d20afcad429046b734d1f7f52b2d5f746052b1547
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons-journalFilesize
6KB
MD575f546768c3521665a5e92848b175038
SHA16c5b6dd8209fc4fdff34743a34c8e2db2f6f7d05
SHA2560f49b1ca5d3b9e7877b21933398f62e80721b54ce357296125ae20567c156841
SHA5128da20372f051180f95a87b24a9ff6253e71c796e6207db01a0a35bf985c56c300dc0cf7bde3fc29b1eadafe24337c5ff1d0bec52d7e89c4bffa5ab3681050a4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000Filesize
4.5MB
MD583fec13e3a1120a9df245cb8130c27e8
SHA187af2d9c53924ef9b5d2829d4424880dabef5429
SHA256287a7ebd230dbcb6e37beaf8fa47b8b6269b1105b1bb2bdfdde65dc0eb6c00e6
SHA512d6033c671a7993ee83a5b584e5e24b0c98e0a0bc2125659201080aea02808ff1947ac22f55ec8d88fc5db0445049624c6104763357d4e8664780b117ee87f790
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5a5428d9fad3a8c85898d7eab7a7ec72e
SHA1a540e57b142ccb3965b50c8a0ec4da7fa02d3744
SHA25692e8a0ef7610fd152d83d7b39c29c7b97de02f51ed2c8fc65afd2a3a0cb8a6b9
SHA512231fc3290fd985d8e800b71bfce62cbed44c927889c9a9e0d781ed3149e1977eb9b5049dd6e94fe2b09120a0e6f417c5edbb734d87e51c309aca8122ec0d735c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\indexFilesize
256KB
MD54fb88c45943c28d0e40739b3f8cde061
SHA1bcb717a6e79f874ab4ec98e2bca133819d467ef7
SHA256c1186837221c689ca290df40159aac8cc4cc7b0910fad905f81ac99a798e5587
SHA512fd70e2005d3519bfde28b038959db2cd2e50fce100156b75fb1d9430941be073e18ecafac59891567c48add219a78507a105b6e6f068c6a69a9024ad97ce29a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD5ed81b39cf5d39c64c1fbf100ae7ccf69
SHA14e0d8b8433fd3d75336bf07362048035331dbd91
SHA25640229806faf3c48a97417ccdea853e5d30fe52625997791954cb5561e51e11cd
SHA5126276856fba0208ea4efbc7bdccd9a75b03795ee0c499181a0691553dd53a07dd5f3f9cdd7f4ef00575c270cbcc2a8bd50d9b211662ece18596f60fb309e0910a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journalFilesize
28KB
MD54491dec20a632cff8b143fb9b64f0b6d
SHA19d5931e246e96491c5b188d672e348dfd42aca62
SHA2566611ca5130bb31c7462c384653d057cddd3670939e842b75e102c178f557cbc5
SHA5122c2598723c0f45f4fd5b5581be49b547a2cf07ffe4d31e0bb29579d424bd73add58601d622ca2cd4283162b6602a6fc8eaefa31fa7f8f3c56e61f545fad1bf7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.logFilesize
21KB
MD5025d86e81786322f35d3f177b2066656
SHA1b354901ded59b803134ab098472da9b664fb99c6
SHA25695c8cd438f923f20cacb099ba2c955939c4aad4d47f9d5c6c3025c24c9b1fb44
SHA512547936ef57b3734869dd4e4f52663398d31d3a83eab33bc3f3c4f0937e405df574279dc8ffe3da45a61a588f0a3095d95a511f770aa0f1f547bcaff6df2f04d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.oldFilesize
378B
MD5027c1b1fcaa0813cc524feae1842da2e
SHA1fb2864f089da91a2e7dd025c45c567d761b87ec5
SHA25614ec3d1e9d6f347ecb4a14fa17472f2036d9f6d5f7c063723030b06a49e92f02
SHA5122856eb997417b35d18055679b76a0b9dc60dfc14469f65ff6c52be95c79e10546d9d640860cfff4360bfd79146ad02a0b9f55a90c0f7ac750acc9fb188400c8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.oldFilesize
378B
MD531e64971743d68d610341d353814eb7e
SHA18a8611d2adf26a5f4f1757c30ce4b8117ab13961
SHA256bf1e6524e55dbf57727fab1de91b69e25d07bf23dd2e9164352e775aa2c0bed3
SHA5121a23bef2713fa7bd9971e23da51e1a188344213a1acb980368d05fa7ed723cb1e1956ea2af0f7f72cc1c542889ab7fbc6da73d7ff1070276e792d165b2915351
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5bec9f.TMPFilesize
337B
MD5cf6239cee8a0a81bde40a85e584779c4
SHA11077aa6937a30685205140716dfa51c302f24309
SHA25695c195ac3f56a719fb3bc42b56658b936f1a5e6bc8b12a4cab8917553154c245
SHA5125ba0e03b28e14a3b6f5a41f8f92f0462b9132b26218e68bac1e1c922f87d791452cd05633966c65ec7889e1c8e655696503acef8b4f77353a6a36694af38ba5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5ff8f80ff67e9d525f6573e503413e5be
SHA1baccf4b2f5d73c52e8f89721a39477bd42aeb549
SHA256baa5637f2d15d6c0927a0b37d614afe4b84421a3bd15248998c2b56f54a5aba5
SHA5122dc41eb9f6d8b98b141c89b9fd02deef68ce07d7a15eaff3d0cddf65791cbac3670fd4f632e25559c91654807f689a5ec24117f96445e576b0179ae9b7807c4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55522041fe5bfee70ea59ae3df62a55a4
SHA1704cac352709c2a0f99f2f3d20985e552e51e3bd
SHA256e4c93c7f4b7d4916de210b9783880d57f34fd881f0609969cdb06db10fa043a2
SHA512e9295983455c339ccec015ea492560b0e4d2cbe5ade2b26ba1351fd0b20fb404485604bc49b6caece7ef7544fcc46d29d60708125474e9b971f1af52315cee72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD584e24efc2fe80a43207c6e45e6eae3e2
SHA17f7c0189c96448939312c0e98e11ed8902686c37
SHA2561a7a3c1457d87cd5aeb3342dbdf1473b62930d969b7a8282517525b8c63a9b16
SHA512964bf0eb897f3bf97b13d8ed15f001d8d76f25b78cd1b1478bed7aae52e04493236831c6e88049bc74456654a0287dd2cd95b185fb660443afb57c4342c3eec7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD584e24efc2fe80a43207c6e45e6eae3e2
SHA17f7c0189c96448939312c0e98e11ed8902686c37
SHA2561a7a3c1457d87cd5aeb3342dbdf1473b62930d969b7a8282517525b8c63a9b16
SHA512964bf0eb897f3bf97b13d8ed15f001d8d76f25b78cd1b1478bed7aae52e04493236831c6e88049bc74456654a0287dd2cd95b185fb660443afb57c4342c3eec7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f4a2b7f28df43846778771779d4c2b08
SHA141748f505d0c6919cd04348fe3c3c0272f31375d
SHA256961f614aa5c915fa6e5668a5e8235694d4c4cfff825174a76d0547856ccdfc61
SHA512fbce9eefa83597b9935a4ce1778182d8e7f4a8751ad0e9366c0f519f0d02ab840786489a3450dec5f7ec41c9c6943951c4f36023ba727ec9529385983fe56e09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD516342fa9b8cd9327c6b12fa91eb1a868
SHA11d8fd0460643c100befe7433ce97800f4c60cd42
SHA2560c1d818401f4d15b634c5b4ca5592b5100f5756873e0c35f84143e7ed9a45c8f
SHA5127e752c7169930ade59430113cd772a07c2e8948091266cf697bf13f62cc74f52081a45155ae57a4e98e3df205c10c5878ce0fdc56b8bd5cc581f29ce91d832ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5fd08cecf21bcec296be15beedfc0ed69
SHA1651507090b4e79ec4a5a36f3da46bf5bcc96d8a8
SHA2566a3147ade00584f99bab70a5e9b347525ec0cb76f7903723c97dc2e6ac51d34f
SHA5124c16ac68aee9aced028a8895e526fdd3be5ea3c62d2c873ad772c45a1a80c03488d336918caddf6768e68e8ba12573c307d5508192bb6ec24f298907e534d6c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5811cbb7c6f446c23bc0a507e3f4245ce
SHA110e873ed79496e71b45450560761794ef2b9eb21
SHA256ad141368945ad7e62c4797999993a3d667437a0657fa08ad5ece4cfeb84eee1a
SHA5127d5fb4fe003c891e11cf46354a3a530dc989ae606bb6d908eac04aad509adcb5535a449897008c6805f179f3e51b9b7625022fe1ca18c3560bccb91be5cb6fb6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13323713097365761Filesize
28KB
MD59294b82fe57a99c37de1bf3adf265905
SHA18ac38792db186cf3f92b3e0a76e37798b2a6f29c
SHA256113a899bb7a1b89edfb6ca9fdd991cb42a3e0e411247bf86f4955b1245fc6cac
SHA512464013e9df5d639a6939af30a62de1d54c349253509cbf25e4226d2be0b3da52efaf88431270a4f59ac9eea03927048eac6044993843dfb168ffa63537d2a2c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
350B
MD59f83b37873d4538afa2c20196f46d7af
SHA1826fead326e45479acd16a70b5868df8f856c4bb
SHA256aa7c38d54cecad1d1d050e560357089b5999a1354760d499a7fa3a31a372df89
SHA51223064d8f6790d9a6eed705a74dc9c75f8f952c8ffeae4e55e3b32153a094ef70007b8d44c47cdc3a266fd18a94ccc5e0c1245b1eae822ecfe4f6ebd49cdd925c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD530b5c42575b87e894a46bb621f4db827
SHA1809d98113727734c15448fd23357f2a4ef4ade96
SHA256307996912845f8078cf73411c26ac8f5225981a4e98804f6c2c980a28119cc89
SHA51292250e2723d15e862e126cb7d06132dfeaa5655ba639b17c82bfd1e1b9431021a4f0a18416f3884505e75dc8b6285f7ce930bbdbdbcd5906cbd53604d2bf658c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top SitesFilesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
203B
MD50b1c623555bb6ba478ac3b6d2bb52b8c
SHA19d5e0290544c28b79cd7b8b1076f6a2ca7766aae
SHA2560ae5b7d89ba1b4ab60f9e1e38c1f8db603e42e104e54486996ad5568572b651f
SHA512acfa82c9d8a2a24502e3c5654debd8941c02225bf9f9632cdeff4cb695bbbdc90a6b0310b329260671116d083758bad3d4010cb44ddda46dc61eb1292b6db855
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD530dcce7269c3283b9323879014185bf2
SHA17e1920edceb2930f69410e23ba84f6ed6ec05c97
SHA256281cefc6e5d49641abd286dbc7d7b6bb9a4825f6188e069fd88d275914bc5649
SHA512584eb8194b401b56d6370cf2b1c60149e075600e73f41aa20aa00e3bef52aae2769de65289f9f8de696f217bd348110f22a10745b90b0d7e26518761aca5f3de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
4KB
MD5d9f84c8cf73422f2ca07d7e7462b9534
SHA1cff6e092bf5bf1f3f47b7074847e204042a881ae
SHA2565bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2
SHA5121ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-walFilesize
1.8MB
MD5b2e1635eee49fef97a97f036af1d9374
SHA1c0df82c28338cc73a0c3e816df7b44a4b234409e
SHA256ca8862a3120f7491368f82956ace1d84bc0acde0eb9aabc6dd489068241dc6ea
SHA5121db1aed8af0359ceda41090d22bb647e2709455e954fca1f5379567f4e068734242b315f105a5de65aeaf906617f6d2aec5ce96af71f9bd7f07c5b2d8a3dbaa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5ad06728fa0047a6fc172cede4ce9db90
SHA1bbd3866c07a709de7209154db5718a73ed650701
SHA256a5aca6684b7be84a1c78469e9490a57319a80d0ad1ba626afc810c1e17638ca1
SHA5128fe0aac7958a4159ec224253fb21faf9051ed7c07605097a10d5b727c4615439939f3ce673735829c5a55c3661cd536d2247f72ec75e72eeb199d814a0a69e0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59cb0e3c165e3e8104bddcab0ec31abc2
SHA13cfdd33cdea1f5b514a12273f28218d8fb6b71af
SHA256616333521c9f9e20fcca7754b5e538ad89c6f9025509ad963a425b68b42d18c3
SHA5121192232beaa12ead148081da219f6201e648b1c9c28ac2accc47ba17683bce2ebfca0fbc299bf0d13a08088dd84b748b9ac351cb560a9ff7e561a216764e475c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5e121b168c490ffd38f1861a64973f32a
SHA1d26874ab0ed1ca879945a8e206589e10d01f76fe
SHA2563963b08e0a15f0ead7face777888bad799c77ed57712badbe219ab8cccc4725d
SHA512171dcdaaab2c2b23a76c4541774d97fbb8897d800d608e577a65dd14d50f88d40ab1bdc8ef46c77f39229943b0a63fac8243f9d03340c1ff4614dd250141de5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5e121b168c490ffd38f1861a64973f32a
SHA1d26874ab0ed1ca879945a8e206589e10d01f76fe
SHA2563963b08e0a15f0ead7face777888bad799c77ed57712badbe219ab8cccc4725d
SHA512171dcdaaab2c2b23a76c4541774d97fbb8897d800d608e577a65dd14d50f88d40ab1bdc8ef46c77f39229943b0a63fac8243f9d03340c1ff4614dd250141de5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD535da16330d6a70ef8886e16335ae9fbf
SHA18e378120e12981c178b8ce64028193cc8953bc0b
SHA256a6f52f7300819a4c97ebe8b17c1f92b074c3c6c96d977ac9b706ce8235a2c7df
SHA5122d999bd05f9e2f345ddbbebd934dda9021417e2fc6655e1b4f9dba0f39a70deaa6172c99a1330b409628837d9a84c47314972f8070c6e49d2d608ff156d2372d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD53c2f7e640760dc723c433759a8048930
SHA1017f55f746ed48137b4ee8b68a085c387d889b0d
SHA256896cf022b5e8db530e7a05ff43349385c9de69c461465c2b13cf13f05de2fcfb
SHA512186418f7c4959a2dd01da78de48bdfe2848b7a71b11465d0eb8af53f09e5d3e210dc663b922865b7d63fd7f8ea9faa62bc982a870b6937adc007c3f5ded7dbec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ0AI98S\online[1].txtFilesize
2B
MD5444bcb3a3fcf8389296c49467f27e1d6
SHA17a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA2562689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA5129fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\regex[1].txtFilesize
633B
MD5c5298d2c78be8fdfc264eb6fe3e275f8
SHA1f09de5f443da081efaff0155f422ca0375edd164
SHA256de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577
SHA5125aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5df336f89f03efe85f95b9f1c9de65336
SHA14851a8ec0c5423f828251a5e9635078ca6d21632
SHA256ff87b99dfc80f2399241b061c0cdb61df3002f6dc9540b27c526277278eed286
SHA5126588fe0a5b217469ae8a2293a4ee88bd64c4762c74488aec0e1aa7088dcea8bb2bb8c10fe5ff68c88e7e4cce1f550da3bd3c68b7eed1b351a338451db6786b29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f9c85084a52243ee8398d542c9018ac6
SHA1497da7aba193ff809f53ed67bda160e8c31bea1d
SHA256ef529f0c501ba287a6bc459a9d57cb6175fce5663d3d13b0d540b11b7dba0387
SHA5126f55ce49c43054abb870816cb8be5a5ae1c5bed9648d886a39d122cd8f135d98805b1c957ab69925ca7dc4ff41d879d91f1cf6a3fbd640f7af0fbbb7931be9d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f9c85084a52243ee8398d542c9018ac6
SHA1497da7aba193ff809f53ed67bda160e8c31bea1d
SHA256ef529f0c501ba287a6bc459a9d57cb6175fce5663d3d13b0d540b11b7dba0387
SHA5126f55ce49c43054abb870816cb8be5a5ae1c5bed9648d886a39d122cd8f135d98805b1c957ab69925ca7dc4ff41d879d91f1cf6a3fbd640f7af0fbbb7931be9d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51d6d2a18e1a767bfbdd549e35d9b2919
SHA1db6f6ecae266d18fb30537cd9a889382ae7f5515
SHA2565426ca770be3dc01161eff6e8b93b1a22877e308650194a24d5350177369b91a
SHA5124b021fe5269700e90f7d6f035a2d8932c227d81a51a717f21a180abd42981e57b800471490646c6585f6140900dee122b4aeccb0e0cad1342513e8098a94c740
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51d6d2a18e1a767bfbdd549e35d9b2919
SHA1db6f6ecae266d18fb30537cd9a889382ae7f5515
SHA2565426ca770be3dc01161eff6e8b93b1a22877e308650194a24d5350177369b91a
SHA5124b021fe5269700e90f7d6f035a2d8932c227d81a51a717f21a180abd42981e57b800471490646c6585f6140900dee122b4aeccb0e0cad1342513e8098a94c740
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD5d5270a27ac29bd02817730dc825ef971
SHA15fcc612b70c724300040a72ccb462e34d595bcac
SHA256712dc15fe153fa2331e7229867fb76adb0e55668e33d17e660babd565fdfbe33
SHA512a172f5e93c7efd4090a2edb001e772f07360f3dda6a7261f63692ab2c95f8343b2876d498d20000e3760d3e919cb7fa85005f51747733a5c4f2fb44235b21310
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datFilesize
14.0MB
MD5553de552f5f1bd1b2f81963515e5fb92
SHA1cb279504b6d1e5e1565b67e79d7641df0b1240c7
SHA2568708738898eed492a0b94bb8d44bc6181c63d939acab4749cac7962dbb095434
SHA512d3e234fa2b4bba1129e76cf89bf01668d26125d2d526eb7219f9a0138d17d96b354afbb40120842c50302cc61f1109d0358d5fc3d9f37510a59e6e77f25f6937
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD52a4030e6ada3edd8f957d64ac5e95016
SHA127bd5595c7cdf320da02bf6a672042ff3500237f
SHA2564686302ef8edcb56f2859da55326cd270fa9200154058f6f6bcabd2c9eeafa52
SHA5120e7305bc25b5ead3fff4afba7fbe42f84e556055f972a75935de8a2b5eeed0f3edc785dac4f5ddadc68ed6a02b43301ef1cff3c1782aa6ca47894860e3d99b92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD599600415dbd98d2a0f2e2f2beb31dcbf
SHA1fc06f8009d1c9ffab823acc0a9c5ba33d329c014
SHA256196835788e32d4a69f39096a23295dd80e1db86b2531579de3c64626974685f0
SHA512ecc39e0ccf2ccee0e82734cc6471b6c8716afe808a5fcd62fc483ea93fc9d9a8ff2f567416cff5c41a00d88b3fdc0dc1b307a07d880400b52f9d2559b649e205
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qaxrblac.ydg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\1.pngFilesize
17KB
MD501975f781549e90c099201bd9ec59611
SHA144e2909c7e832916d1d7355b277e720b22fcd31e
SHA256d8befc4f53bf858386d5f5d3fc0931a89b84f3df7bf96b306c69e0a3e921178e
SHA51236d91f1369803045f9a59854acc5f67f88eaa509baae7660f9d745231849f10629e7fac5e4139d1b98366704a31f630e3176c929121ef29bd8263ffafaae1cb8
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\Installer net.pngFilesize
11KB
MD51c5bfe3b17ae62449e5f9e42b762f33b
SHA147f77205abb1318baf5e3add0670b7ee9fbb8f24
SHA256567a2d3cea865f672b63e6ff44fc7091173a79fa840c9d20286ecd5429029823
SHA51207e8c8f38e4e8477248092656af2e6844e325e301647a84efd2435d9cf3e5876e17dc1baaf18435f7a90459a6ce35b47fee36f3098b74604e48c87072210cced
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\Portable.pngFilesize
23KB
MD589475a0f65e50ee9c484967ebc348ab7
SHA106ba9bcdada628fc6b0a77437c8f700004ae4648
SHA2565f9ca566d37e1f25d19bbf5f885862808cb6b3d1a4dbcca5af812a58ae6fedf9
SHA512d062a31dc8cacc15159e96b18f8aaa01c4457cacc7e0f6cf78b78bc30600dadfc3d12932d6ba72b03197df7d3c2d86757c474774bca3c430d7d0c8710713b0c8
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\icon.pngFilesize
3KB
MD56c8630ca7cbcaabf9280dfc4b7bc57bd
SHA1b51792a4cb96dacbe52c9f8ab91d5f5063dc5823
SHA2568caaa6de2cfbaa3216a4545f2f996f084f1ecf313a6b04508bed453b7d31ea71
SHA5126e10e2be2adbf4092b539ca0ebb87ca96f41df0cebe464175584ec8b9b769182ba6dd6e4e5cc750c3320a2e25d1c69fda6422688497c0bb73edecef127b4c43c
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\port neaktiv.pngFilesize
11KB
MD5893aa141cf93c75adeeb0f4e7ec917bc
SHA136bb3105e25671d2aa0da41e6f906f5bc24119f9
SHA256f87de21bac4f7ee32d32f65c6754f57057bcb8b00376f13a9275e86b722c2fd9
SHA5120a630b83b4ad69ccd0a5d48999e8702e3d8e72208a50e0b3efaecaca87d71995b8bc55c1a19918cff75710ad086d552a57bd1e861e7db2303959dc3ba2e7fb87
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\rus.jpgFilesize
518B
MD5984e83b2c84432b701406ccfb3dc1833
SHA16256e604e1cb5150cdd671a95370462d9c23d7c9
SHA25699df3855b486051f565c2625b9d6b3a49e90510687c7ad1f5f0de0e9046d11d5
SHA51236430a272cbc617c569c54975dc7d95d8640dddce40610ed40a623d2c5b3f5c5d2248a68cb1eb6d6398b0ae449281585976c118ffb8a3b523372b21135088a3d
-
C:\Users\Admin\AppData\Local\Temp\is-PHVL2.tmp\stac.pngFilesize
15KB
MD5eaec12cf0e741d23cbf1a100e7dee23e
SHA1d4e20ea202eccedb63c35ee138726fadf16abd9f
SHA256b38e0315691adf47090665ec21aee0c0cb5014246cfe0edf0c1f1ff36c45d2ac
SHA512344c5f14efc854f579e925928ff3b95e213f4cf325e1d80359d7ea756b11f11d756338a921a370f6308abe78981f8f5808f4941b4646d31c7ee1819bb8216c50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD57451354c5680187b61801d38c9aa37f8
SHA1de6f25e14c47eacd54a38c0c8d9bcb9499c64b3e
SHA256733df25f9eb4a75ada97cab20eb8195651cf0d4a515221caff4739c207837007
SHA512dade7c8603b96efed230a61e652d64ca28e8ecdae1a63f62238a32f829fbf514e5187a69b84ac772f7e4ecbff53424adbccde6833babd7ff5092d70346c8d24c
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
721.5MB
MD5188f8a27a8163e695b4f0dfa56908a2f
SHA1bee8fec22edf802e42a3bafa5c1480bf5041eca9
SHA25660413f7a5d69f1cb029900cc2d37eb65b580d71a191120206964c2ebea647b5b
SHA51237e1dce2f7db290ed9bd853c9ad3498c4b0175046fcd53d8dd8cb6de6ddb031a6676bb3384782555ca25d609c2ee23f6600c2e354793211a3bf7f7b3082b2be7
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
721.5MB
MD5188f8a27a8163e695b4f0dfa56908a2f
SHA1bee8fec22edf802e42a3bafa5c1480bf5041eca9
SHA25660413f7a5d69f1cb029900cc2d37eb65b580d71a191120206964c2ebea647b5b
SHA51237e1dce2f7db290ed9bd853c9ad3498c4b0175046fcd53d8dd8cb6de6ddb031a6676bb3384782555ca25d609c2ee23f6600c2e354793211a3bf7f7b3082b2be7
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
721.5MB
MD5188f8a27a8163e695b4f0dfa56908a2f
SHA1bee8fec22edf802e42a3bafa5c1480bf5041eca9
SHA25660413f7a5d69f1cb029900cc2d37eb65b580d71a191120206964c2ebea647b5b
SHA51237e1dce2f7db290ed9bd853c9ad3498c4b0175046fcd53d8dd8cb6de6ddb031a6676bb3384782555ca25d609c2ee23f6600c2e354793211a3bf7f7b3082b2be7
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
721.5MB
MD5188f8a27a8163e695b4f0dfa56908a2f
SHA1bee8fec22edf802e42a3bafa5c1480bf5041eca9
SHA25660413f7a5d69f1cb029900cc2d37eb65b580d71a191120206964c2ebea647b5b
SHA51237e1dce2f7db290ed9bd853c9ad3498c4b0175046fcd53d8dd8cb6de6ddb031a6676bb3384782555ca25d609c2ee23f6600c2e354793211a3bf7f7b3082b2be7
-
C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exeFilesize
53KB
MD56986f1d3d40626f825b3ebf0415fc54c
SHA14e498030af12be1c971aa8b06178c24266d39197
SHA2567e84d74990b3b4a9807b3072a2637c0c7035b2e9bc4f6e603b9f1766172fbf3e
SHA51202d095629b9fcd4d7e9b0e156adfd1da41e398848f7c37eb364dfac1636baa6933d95ffebe6083cd4eaafab09d341233ae4e83b47cfeb4e2dc73a30da85c822b
-
C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exeFilesize
53KB
MD56986f1d3d40626f825b3ebf0415fc54c
SHA14e498030af12be1c971aa8b06178c24266d39197
SHA2567e84d74990b3b4a9807b3072a2637c0c7035b2e9bc4f6e603b9f1766172fbf3e
SHA51202d095629b9fcd4d7e9b0e156adfd1da41e398848f7c37eb364dfac1636baa6933d95ffebe6083cd4eaafab09d341233ae4e83b47cfeb4e2dc73a30da85c822b
-
C:\Users\Admin\Desktop\Git2\GUI_MODERNISTA.exeFilesize
53KB
MD56986f1d3d40626f825b3ebf0415fc54c
SHA14e498030af12be1c971aa8b06178c24266d39197
SHA2567e84d74990b3b4a9807b3072a2637c0c7035b2e9bc4f6e603b9f1766172fbf3e
SHA51202d095629b9fcd4d7e9b0e156adfd1da41e398848f7c37eb364dfac1636baa6933d95ffebe6083cd4eaafab09d341233ae4e83b47cfeb4e2dc73a30da85c822b
-
C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exeFilesize
7.5MB
MD5fb0deff37fe12bbc4f0c1fe21e2d15ef
SHA1180325b8b6e64638e167601c67cd9c53331ba9f6
SHA256ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
SHA5129fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d
-
C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exeFilesize
7.5MB
MD5fb0deff37fe12bbc4f0c1fe21e2d15ef
SHA1180325b8b6e64638e167601c67cd9c53331ba9f6
SHA256ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
SHA5129fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d
-
C:\Users\Admin\Desktop\Git2\clifdthjsjkdgaoker.exeFilesize
7.5MB
MD5fb0deff37fe12bbc4f0c1fe21e2d15ef
SHA1180325b8b6e64638e167601c67cd9c53331ba9f6
SHA256ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
SHA5129fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d
-
C:\Users\Admin\Desktop\Git2\sdfsdfs.exeFilesize
214KB
MD58882daf740d94819afcce024bce34a37
SHA14bdb80e664638201f393a49e5577886683d54662
SHA256a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
SHA5126ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
-
C:\Users\Admin\Desktop\Git2\sdfsdfs.exeFilesize
214KB
MD58882daf740d94819afcce024bce34a37
SHA14bdb80e664638201f393a49e5577886683d54662
SHA256a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
SHA5126ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
-
C:\Users\Admin\Desktop\Git2\sdfsdfs.exeFilesize
214KB
MD58882daf740d94819afcce024bce34a37
SHA14bdb80e664638201f393a49e5577886683d54662
SHA256a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
SHA5126ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
-
C:\Users\Admin\Downloads\CCleaner_1212.zipFilesize
24.3MB
MD5f0c845927447a0223ae0f50cad0e09e0
SHA120df3e274527294cf39a2ff602026210621542ff
SHA256150a1274a8240d88eccacad70db45407d9c0b06f473093e8536531e242332bdb
SHA5124088607ab833637fa3ac0a7a40db1d91300c54647a894312e9f28f9c1752bd91fd36334a2a79298134bf51ff9d750912d461ba02f362e80d50f9c3a637fa6834
-
C:\Windows\system32\drivers\etc\hostsFilesize
6KB
MD5b5b346638148150a5fbf6261654622a8
SHA17d78a67b0d48a81b113506d38e1e57db7f56a730
SHA25660e90f89a143a20c777877c0c7a3d735e1e6e8651e95e2f121adcb72fe0075dc
SHA51261f25fb25aabb0d8394053b864b0bd697399ae58b095a5972b1bd553c4c5483f7fdc25b1b82779ea990590046ee348fa0337dac0746c29308d574f58a8ffe767
-
\??\pipe\LOCAL\crashpad_1288_QIKRDTEBMTDTCWOYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5396_YKMNUJWFFWTOJSIVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/980-168-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB
-
memory/980-222-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB
-
memory/980-161-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/980-166-0x0000000007740000-0x00000000077A6000-memory.dmpFilesize
408KB
-
memory/1560-316-0x0000000002980000-0x0000000002990000-memory.dmpFilesize
64KB
-
memory/1560-260-0x0000000002980000-0x0000000002990000-memory.dmpFilesize
64KB
-
memory/1560-361-0x000000007F610000-0x000000007F620000-memory.dmpFilesize
64KB
-
memory/1560-261-0x0000000002980000-0x0000000002990000-memory.dmpFilesize
64KB
-
memory/1560-331-0x000000006EEE0000-0x000000006EF2C000-memory.dmpFilesize
304KB
-
memory/2568-314-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/2568-219-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/2568-312-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/2568-220-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/2680-379-0x00000000039F0000-0x00000000039F1000-memory.dmpFilesize
4KB
-
memory/2680-385-0x0000000003B60000-0x0000000003B61000-memory.dmpFilesize
4KB
-
memory/2680-378-0x00000000039E0000-0x00000000039E1000-memory.dmpFilesize
4KB
-
memory/2680-386-0x0000000003B70000-0x0000000003B71000-memory.dmpFilesize
4KB
-
memory/2680-381-0x0000000003A20000-0x0000000003A21000-memory.dmpFilesize
4KB
-
memory/2680-382-0x0000000003B40000-0x0000000003B41000-memory.dmpFilesize
4KB
-
memory/2680-384-0x0000000003B50000-0x0000000003B51000-memory.dmpFilesize
4KB
-
memory/2680-387-0x0000000000FF0000-0x0000000001B9B000-memory.dmpFilesize
11.7MB
-
memory/2680-380-0x0000000003A00000-0x0000000003A01000-memory.dmpFilesize
4KB
-
memory/3000-1037-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-1078-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-1057-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-1088-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-757-0x00000000015D0000-0x00000000015F0000-memory.dmpFilesize
128KB
-
memory/3000-764-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-1007-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-836-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3000-957-0x0000000000400000-0x0000000000EFC000-memory.dmpFilesize
11.0MB
-
memory/3100-1089-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3144-224-0x0000000000500000-0x0000000000528000-memory.dmpFilesize
160KB
-
memory/3156-146-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/3156-156-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/3156-155-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/3156-152-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3156-153-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/3156-150-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/3156-149-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/3156-157-0x0000000000F40000-0x0000000001AEB000-memory.dmpFilesize
11.7MB
-
memory/3156-148-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/3180-212-0x0000000008030000-0x000000000804A000-memory.dmpFilesize
104KB
-
memory/3180-186-0x0000000006890000-0x0000000006992000-memory.dmpFilesize
1.0MB
-
memory/3180-189-0x0000000006FF0000-0x0000000007022000-memory.dmpFilesize
200KB
-
memory/3180-171-0x0000000005800000-0x0000000005882000-memory.dmpFilesize
520KB
-
memory/3180-172-0x0000000005FF0000-0x0000000006012000-memory.dmpFilesize
136KB
-
memory/3180-190-0x000000006F930000-0x000000006F97C000-memory.dmpFilesize
304KB
-
memory/3180-173-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/3180-200-0x0000000006FC0000-0x0000000006FDE000-memory.dmpFilesize
120KB
-
memory/3180-174-0x0000000005280000-0x0000000005290000-memory.dmpFilesize
64KB
-
memory/3180-180-0x0000000005280000-0x0000000005290000-memory.dmpFilesize
64KB
-
memory/3180-185-0x0000000006170000-0x0000000006180000-memory.dmpFilesize
64KB
-
memory/3180-201-0x0000000008370000-0x00000000089EA000-memory.dmpFilesize
6.5MB
-
memory/3180-188-0x0000000005280000-0x0000000005290000-memory.dmpFilesize
64KB
-
memory/3180-202-0x0000000007D30000-0x0000000007D4A000-memory.dmpFilesize
104KB
-
memory/3180-203-0x000000007EE60000-0x000000007EE70000-memory.dmpFilesize
64KB
-
memory/3180-170-0x00000000058C0000-0x0000000005EE8000-memory.dmpFilesize
6.2MB
-
memory/3180-204-0x0000000007DA0000-0x0000000007DAA000-memory.dmpFilesize
40KB
-
memory/3180-205-0x0000000007FA0000-0x0000000007FEA000-memory.dmpFilesize
296KB
-
memory/3180-187-0x0000000006A10000-0x0000000006A2E000-memory.dmpFilesize
120KB
-
memory/3180-206-0x0000000008090000-0x0000000008126000-memory.dmpFilesize
600KB
-
memory/3180-213-0x0000000008020000-0x0000000008028000-memory.dmpFilesize
32KB
-
memory/3180-169-0x0000000005200000-0x0000000005236000-memory.dmpFilesize
216KB
-
memory/3180-210-0x0000000007F90000-0x0000000007F9E000-memory.dmpFilesize
56KB
-
memory/3488-390-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/3488-391-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/3488-393-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/3488-392-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/3488-395-0x0000000001BB0000-0x0000000001BB1000-memory.dmpFilesize
4KB
-
memory/3488-394-0x0000000001BA0000-0x0000000001BA1000-memory.dmpFilesize
4KB
-
memory/3488-396-0x0000000001BC0000-0x0000000001BC1000-memory.dmpFilesize
4KB
-
memory/3488-397-0x0000000001BD0000-0x0000000001BD1000-memory.dmpFilesize
4KB
-
memory/3488-398-0x0000000000FF0000-0x0000000001B9B000-memory.dmpFilesize
11.7MB
-
memory/3768-321-0x000000006EEE0000-0x000000006EF2C000-memory.dmpFilesize
304KB
-
memory/3768-258-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB
-
memory/3768-257-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB
-
memory/3768-374-0x000000007EF40000-0x000000007EF50000-memory.dmpFilesize
64KB
-
memory/3768-315-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB
-
memory/3848-363-0x000000006EEE0000-0x000000006EF2C000-memory.dmpFilesize
304KB
-
memory/3848-270-0x0000000002EE0000-0x0000000002EF0000-memory.dmpFilesize
64KB
-
memory/3848-269-0x0000000002EE0000-0x0000000002EF0000-memory.dmpFilesize
64KB
-
memory/3848-364-0x0000000002EE0000-0x0000000002EF0000-memory.dmpFilesize
64KB
-
memory/4224-145-0x00000000052C0000-0x0000000005352000-memory.dmpFilesize
584KB
-
memory/4224-154-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4224-151-0x0000000005290000-0x000000000529A000-memory.dmpFilesize
40KB
-
memory/4224-144-0x00000000057D0000-0x0000000005D74000-memory.dmpFilesize
5.6MB
-
memory/4224-143-0x00000000008B0000-0x00000000008C4000-memory.dmpFilesize
80KB
-
memory/4224-167-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4224-221-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4224-215-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4556-253-0x00000000006E0000-0x00000000006F6000-memory.dmpFilesize
88KB
-
memory/4556-255-0x0000000007400000-0x0000000007410000-memory.dmpFilesize
64KB
-
memory/4556-313-0x00000000086C0000-0x0000000008700000-memory.dmpFilesize
256KB
-
memory/4564-268-0x0000000003350000-0x0000000003360000-memory.dmpFilesize
64KB
-
memory/4564-375-0x000000007FC80000-0x000000007FC90000-memory.dmpFilesize
64KB
-
memory/4564-262-0x0000000003350000-0x0000000003360000-memory.dmpFilesize
64KB
-
memory/4564-362-0x0000000003350000-0x0000000003360000-memory.dmpFilesize
64KB
-
memory/4564-351-0x000000006EEE0000-0x000000006EF2C000-memory.dmpFilesize
304KB
-
memory/4620-259-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB
-
memory/4620-341-0x000000006EEE0000-0x000000006EF2C000-memory.dmpFilesize
304KB
-
memory/4620-317-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB
-
memory/4620-376-0x000000007F7C0000-0x000000007F7D0000-memory.dmpFilesize
64KB
-
memory/4848-244-0x0000000003310000-0x0000000003311000-memory.dmpFilesize
4KB
-
memory/4848-243-0x0000000003300000-0x0000000003301000-memory.dmpFilesize
4KB
-
memory/4848-242-0x00000000032F0000-0x00000000032F1000-memory.dmpFilesize
4KB
-
memory/4848-241-0x00000000032E0000-0x00000000032E1000-memory.dmpFilesize
4KB
-
memory/4848-246-0x0000000000F40000-0x0000000001AEB000-memory.dmpFilesize
11.7MB
-
memory/4848-245-0x0000000003320000-0x0000000003321000-memory.dmpFilesize
4KB
-
memory/4848-240-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/4848-239-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/4848-238-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
