Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
04-01-2024 17:49
General
-
Target
f9467198be098eef6cda9559ec03b7b769e78165e94cc8ca3659625b61f8a0ef.exe
-
Size
6.2MB
-
MD5
0f3e285e2ba03daa86e6a4a53cedda16
-
SHA1
bd1e8bc81d1999a31c796f051177ff6939d6e7e4
-
SHA256
f9467198be098eef6cda9559ec03b7b769e78165e94cc8ca3659625b61f8a0ef
-
SHA512
b32b565e525a88c07d84b7239dfebfb626839454fbbc97d6efeb20e736677b8dfe07a9a5c63fd857a05fcab8fd02bab25e61684cd53c4292692d16e5cc0d3ffa
-
SSDEEP
98304:c339vgN65IbHoUXQoJh8YTt7XvK55R+p+LohshQbPD13gFkTerrLt5OVugU:IBYoUXLJh8Mk55XCBOLCvU
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
777
195.20.16.103:20440
Signatures
-
Detect ZGRat V1 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 51 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9467198be098eef6cda9559ec03b7b769e78165e94cc8ca3659625b61f8a0ef.exe"C:\Users\Admin\AppData\Local\Temp\f9467198be098eef6cda9559ec03b7b769e78165e94cc8ca3659625b61f8a0ef.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vt6hB67.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vt6hB67.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zC8OV13.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zC8OV13.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OC5du66.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OC5du66.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KP41vq.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KP41vq.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Xr293BZ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Xr293BZ.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tr9jI59.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tr9jI59.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KS80jL6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KS80jL6.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe60e446f8,0x7ffe60e44708,0x7ffe60e447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4068 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17639644467132401132,12521908604863895510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BK0201.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BK0201.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 30883⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,13486682335051995271,9485198151056013646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13486682335051995271,9485198151056013646,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3353486101927359852,5038166922759608538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3353486101927359852,5038166922759608538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe60e446f8,0x7ffe60e44708,0x7ffe60e447181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffe60e446f8,0x7ffe60e44708,0x7ffe60e447181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4868 -ip 48681⤵
-
C:\Users\Admin\AppData\Local\Temp\6414.exeC:\Users\Admin\AppData\Local\Temp\6414.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe60e446f8,0x7ffe60e44708,0x7ffe60e447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=176 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17806799278933082905,1988880751215926525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\6DC5.exeC:\Users\Admin\AppData\Local\Temp\6DC5.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ba867085de8c7cd19b321ab0a8349507
SHA1e5a0ddcab782c559c39d58f41bf5ad3db3f01118
SHA2562adaff5e81f0a4a7420d345b06a304aafa84d1afd6bda7aeb6adb95ee07f4e8c
SHA512b1c02b6e57341143d22336988a15787b7f7590423913fcbc3085c8ae8eb2f673390b0b8e1163878367c8d8d2ee0e7ca8ed1d5a6573f887986f591fcababc2cfe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bcaf436ee5fed204f08c14d7517436eb
SHA1637817252f1e2ab00275cd5b5a285a22980295ff
SHA256de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120
SHA5127e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e8231fac725412369a355599c4424bc6
SHA125613cfb39668db73979cd938613da8fdb323033
SHA2560814a66dd62dc094d3b561e015fdd26baf498b97e910470e9e9316c256c123aa
SHA5122f5f6aa9c2915270aa72dd0c3d6551b828c7686e627e21f891f19932da1ab84a12eb0a49bed0729dbff01471bd6e123401de6531c6311c795c0f12a686f24e26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50c82c0b3e368be059297efaf46021c5f
SHA1e4a44bafaa77f000b63ba6e8f250654993c2c914
SHA25615c102d042e93343c5926fbd66efa3725a535bb1eeda0017fd330cdc5bb99d9f
SHA5125ce36382cc4d62e58d94f8f4d161898e0d36003ad7896259778cbe1ccebfb66dbf3ec29f91bc82ee96c1c74bd67828da1fb857ecf3529d34c7a27e74912be2e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD567962e5a61106cd2a24c961d5fd55e9b
SHA1ad254580a30e7f076021ef01be2f5493887fb65c
SHA2568ceedc35235473f8d044f191c88899ca914113cbd103d6e4405837b57ed32a44
SHA512224bd0c28e40e8199069423913ff06ec0f6cbf0cc8f933c7357a5e692ac2fe77db0895237e527dbbe29435ce3e54b80a35f0195b25a060b731a014f853ae6c51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5614c1a19a42cb69e3dcc7eec8ddb3dba
SHA162aab02bcae58ee8df911eb8e6cb910e7cd340f8
SHA2562c7d42a557782a59d6f70906a2ba53a909191c9c94e5ee879f7f26542ae08972
SHA512249d46d1268b26af578c868deddf6cea6d7d9c7eb88c422e2d59ace0a45605f05d4af21741372ca47a4643c6b506641e74e393f464eaaf72e88f1f6a1a3b3d70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD56f4e920e363dec820bd541128073577c
SHA16b3641b5544684663cd94d0c286de433949db94e
SHA2569893f23fa65e10ec6d172a816f3769fb60e2afdaff896cb5115edb84c4551e17
SHA5121748cae99d1dea96cfe8cad09573265edbf0b505b4b7db4c94e92c9601fcf3205bde763e294fefa6da125cf6970cfac3b213da3510ea8d0d2a2bba4a321bc44a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journalFilesize
8KB
MD507c8803692e17dcf10942fc402e8d063
SHA10fd8c65c7354a838d1039cae91ceb9b67a6f9496
SHA2566904c7450ea268d7d7d52f1fb381b1278da67f02b92b22395ebf32c7dea46fd6
SHA51263373b274c16a4d267d7b6d0ee905e09a0ed6852b6168cf802f07e2090ea8f67082925501f15bf0d7011344eabd7be2f2090a74516d53584cca9a144ef09bfeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.logFilesize
68KB
MD51148321c19b33333a3fc5302dabf2ecb
SHA150e9e12fae6899728d0dd86af2772ac3b721bc57
SHA256829052d3c1eb3602c238186a8d6c9e65d900be426e59e57791ed5f02242b5364
SHA51201e5eb540feea4244ba73c4c8d7ec72ab11eb21f372254d91c0eee6a75608d7e580adeaecf383d9326354e669e72d9c7c93b3f9ca81f5e557757a932de90d2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
624B
MD5c3d20e0026f421347a977c7f9a66061f
SHA1a350f3ceb4335d8359647575698c3fb4b3c3c32d
SHA2566b0f91b0d94daec01ba8377e97c94d73a98fb9fd15bd3c1ae071c6f9942a6823
SHA51206f6e6c11069d6ae4e02f5ce8adb1adb67ad19f3fe4ad2dc8c810e8a287a318fe4727756c5ebaffb58724adadb1ea8ae85f8962331b3632fdd0db029498dc6e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD53d05203d0d86613486036217d772df0b
SHA1618802382dd7f3c5db91d09ecca53ff14cc36898
SHA256d858b7276abfd1473649aee20268c346ff02387c807be1d0c92861ea18009b10
SHA512ad3ef204c1c69057428a67d7a7359fc418ec3a8871b4abd611e3f9f1d833a56fc76666ab431f7314b2a71f6c13b8eced8e742c953653b92dfbdbe6f05b5edaeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5541e138d21aa52c5431d7d2c13c648e9
SHA151e914033bc01b6170c96d2ee2226c6849120eed
SHA2564b29984c278bee9f810c8b8ab9c03d7d217a0e9ca6edc71a9237c0148816fc23
SHA512bbe279a4cc13a938fa44fd137cac43e538421d3a0516762df0f3447e84a49609e81599111b408270256e3b41d222770d3680e17a200ca8e646b5f797ee473862
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f5b6c613ec422524204af45acc54b25a
SHA1cc9178423c0853be6da87935aaa4d2721b84d75d
SHA2560b01c975181dba145b38143f435f3bbcf807823362186314c436835d149aa3eb
SHA5121e1874b44a436934fbb01244fd07b1d0cff89f0c8ce9de1f91d68a611041b2733f981a3ff6b669ba388793bf71f0665a45e232edc55a0775ffa1419ad84edcd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57f2870362c45f642efe369937938c498
SHA105488ffd0ad2fa53fff29d53a71d22a4947bb742
SHA256e2fc886bfd359feea32ae258a337df263f2f848538652ca47d9d8c5fdb33ccbb
SHA512cc01e4ee0dbfa9a22558f8d41435b0b2de7887f32007c27f19614d75f0598415b00b8fbe180638d1a71b76e0068fd179730f0b0fb3b217ee72f8e41153076702
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56070cee1389d800288ee00a133fcfae9
SHA186da71e939420a31363e5481ed9b1daffa62807a
SHA2567e5974d5bf8ff30c9ece94c2c3bde3701c5da499378be97c4d185dacceef890b
SHA512b7fe7c4f562055624d74bee203d616cbd464e29c91120eb854f34a779ad9acd0283621d73d4be994542198b5255cec4e6e098c473756fc8ae9b2009dff8263ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57989cec0527c5716d6c22af88d55d6e6
SHA19edfe0a700f80d14e33cc1d8f8c9826750021ea9
SHA25647bc96cf85531a26e650ad4aa2ab04f117543304693bbb22f96f12d78c0777e5
SHA512d5ae80830d0e340f32ecdf7f8ea3e9d4d6d8b1da9836b3c0a096420aa08118f2950dc39dc2e978b16726e6418b676b7af41555f33f9a1489d540729299e285db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5b0ba6f0eee8f998b4d78bc4934f5fd17
SHA1589653d624de363d3e8869c169441b143c1f39ad
SHA2564b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f
SHA512e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD542fd609a49a584280032edba26031001
SHA1ab8476c0ad1bec75b9f310b5cc54c3ba65267613
SHA25634af89eabbbdfcba03d8dbfc31487960491b99e4ae5d146ad158000d9410e767
SHA51233f12f0268a0cede6bb5495edfde13814aa5e2eda49a1a98901df5985656a0e212c96f5d86146f5b1e755976b87a049a845da9b5cdfadb588dce2cc597cd73af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5609114a8fc3aeae06e2369754c4d10ff
SHA1a36330ae339298283723427cc69a56594fa53fb5
SHA25669acd1cc93a457742f8e0d011b6fcf613a64e50664bbccf1b2bbf9c6e79dfd17
SHA512d778e3ecc1192e9d4ca3dc1cc40a50eae1c4e63aa18396df27747d6db4a1fc7cdae5df3818373adbcc157b3000ba5a012a37a7722cf69a18f24114296479d95d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmpFilesize
82B
MD592c6163a8304f8d4a81fb36cbe0c43c3
SHA1c98829c8ac87748c70bbaf48195e79fbf2156e87
SHA256bac0a83b4c42205499627754731ef1fa441b9f864d8e0906c89fb5d295413a86
SHA512ab153aafda34104cad4805f90f309502ca23bccfb4c4449e2296cc7545da4f98b28b739cfdf64801bc4d19055de00c95f12f2f4df290f1b070f8d4e43bdcecef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5a7af3edfd195a85af470f61ddb0c7627
SHA173708180d9f85c47bb18215e0d255a11ad9808b7
SHA256264581c3d932125cb283cd9631f0d186d05839400d6b7421a7c744565ddb369a
SHA512d82824158aa184e77b1e75a483276ef03f8a747e933a152a0bde817aae220cd5545094fba37e6dc6a7b47695062ae33a84523f6519fd0bcd67023e5a3c2bf87b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bd93.TMPFilesize
48B
MD5d309ad366969296f295216044ff6427d
SHA1e3061b786ad2303f46b76cc5a3a6ce98d2ed6fbe
SHA25639a8a5f330567778c6e025a868d769894c273c699b8688c9fa90dd33ef3082f4
SHA5122a1d966cb0b0bd1f2b175dad7e8588ecd786501e7ae77b69fad38176894c7939ee876a0594f38522a4cc9b34cf3c4e2bd9ab6fb52cb96ad63bc4ffe386fc4ac3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54544d536a68105808962cf98c518619e
SHA1c5e836e09282a33cdbcbf956ef822c143983c6db
SHA2563003eff22da9ac2d64a9c65da8b98377611a8453574b05b4ad1a921e3774c7bd
SHA5126b7a1ea0f506d4592a0b5f2f613cd7f32658b8392e953c29557a80538a703bbf3ec6341cf1d2400325843bc4a21e04eedee623de6a359652a427032c74768c6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e253cca3b3595bf638d5af5974ced281
SHA1e992e71b2e8ea1d08e1fb39bab89f56ccfa4d1d1
SHA256186cdfa31b78adf643c254dc3c46bba128a3ae7160d1396a2518148161bd1ae3
SHA512cf40119826aeda6f4a3d45a84418562afbc919cdf473fa4357bf5bde00acda43c4548cade0538938d3c757072752d00953c761f8cd2a26a56e64c5dd5672e788
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e860052c2065d0402691af292d4ba7eb
SHA14d570d8c7052db4c6588f88139646c4ee0b2cdad
SHA25654bf1114fb1a75ca41cdccf0d1708bfc33c5ea63629ac3c6d40bf1adbe17bde1
SHA5124e8f03dcec978860f5b617db47777145190e0057526da1acf38fb0ae087c6ad02d2f033f4656897a088baea90767ac6f689e611f193eed13f8c0a53b35253acd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a7aa.TMPFilesize
1KB
MD5e04d993f0df6e0c3140487fd5b2329ee
SHA13699736751ea6190315b28998da9700bf42b6c34
SHA256c5b34e911135d70d38f3f0c24b8807c379922a8c49f78c75c58a8c8695faa9b8
SHA5123713514149bf4ccca601aa3cbbd6c877b125cfddbc1ee33e237b6bf5c9617e48e56ddc56016d9e3172229485d95b8d341c1a680a7d67550e1a60daee6f77d13a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
35KB
MD5df06c8e3940b8515193520789228b8a1
SHA10d87c95f70709c73fc591c91ced84a53fa0c1165
SHA256bafc81540cb5a52c3898fae8d80e50f4219f5a3bd2541cf9ae970aafea8263cd
SHA51250951d3dd61d83cdeacf78f13026b98944b3361c368d9bea4619884da8b55a77105d5a61ea719bf391458d81e9d4442f6484cb95164b1c3c7f9d9fbff3a52f78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5761b9b1a6a75362eee0337f9d8374e36
SHA1fc8ea1ea2a3857e12d28e7fec73cd520a56e11b3
SHA256a2c39139546ba4feab40e6aace90de3713d50b19385be4e6f9285d556163f9aa
SHA512ce982025c4a2ac82429c0bf1f8c78913a7d2c361baa1055fcb5e53a6a3a94157fef61656f1e50a90ccec375534504e0202a8a36c58fc9300ab2e7bb9d0be2a8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD50a118883ddb30e2981bf342c5181452c
SHA13dde91b7ebc317df9894d081b390bb605c828466
SHA256ab97164079d44a6ed72013b9080ce07884a214b8580b9c1ab4e30441c17534fd
SHA5125c861a130730ff9a16a48a70fb77410a89cf65b16bd884fe728500c1061ff43c0c7cb50066464e953b38c4e1bc01f2fa54ce45d935ad17bd21c8176ea750f0d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5e5fde880403f20d25a2ea1cba504c240
SHA11cc81d3527cdae275978554dd75383becc7fe6c9
SHA2563da76304b25483adef01c87c57e051f07dfc1ff3ce15e01f1c86a66d1cc2d96d
SHA512b4522de9e524dbcdf489417e01dd9b86c5fabbacbd2f6d29b9c709d3971aa0d6db8fba1f46ceef5c22012ec21c6c69936b4f63c6a691d9f9c618161695c0996d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD58c28fd0f4c8a885170d7f93580398061
SHA14749d19c8b97de4754c0aa6afcb85e22b71f80b0
SHA2564a5150789f793f02fd433fbf8500c398f918f1ad3fb8538fc95e87edbc113303
SHA51254e103f9512e5d589db40afe62335f2aaf4ae954c2d92ac2993a8260853219a9fadfbdf9235e0de8156cfc8ebc5c9acf53177dc08d4b44f6e3a57a698e2b9914
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD58013cd6dc5519cac364481821af931d2
SHA1dc1740b3b803c6ebdf6429faf607ab1e36b8ff1d
SHA2569bc5f85fd09be7aa7dcf80314619a42f2b7048d0f5c6c09d3f5f7953f43f6780
SHA512a95d94c5bef8bba149cabe4dd01c745a8e4df8ddd2a8b4c03c17a11d6ae7719efa1aec45a14485ce52290e6b47f8cc1220aac2f6e401e8e0964521b582da3d3b
-
C:\Users\Admin\AppData\Local\Temp\6414.exeFilesize
406KB
MD5b08b55bc573d1e28d852be56dbf3e20d
SHA169e517f3ffe12c25cc390eaa49dc6259f6f1a0b8
SHA25643743a7c06d486df4d41c638d3f9a4f343f32bb1df323b9f499db46340ce95b1
SHA512efa3abba12d2828f9aa9bba3d70efccdbcc867b3a6dd4ae0b4f99e5871d046a2e4002d89348e716bc73b0b9791c08faed1367af5a8434d458ee2db6bbebe62b4
-
C:\Users\Admin\AppData\Local\Temp\6414.exeFilesize
519KB
MD57329b752f9cc1536c8cb92dea19e4c4f
SHA1c9dd8e8315d5e76425196e0924837f1a429ff888
SHA256a90d4ee2aeb4d107ef6ecfc4dafd81cedbfefae223871c96e46ae088cc79cf35
SHA512186644cdffb9c4afcb4898d43bfe49aed81807b4da3358fd33815ebe9f56406ab80e9b3950362274f19ac15b0b69c824ab0ddc491acfc1e40fdee8d7c3dce9d5
-
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exeFilesize
57KB
MD548b2fa65d10d9bcf8293fa3dfb941a6c
SHA1bea172b6261928ab89ecfa4fc8584d78655c751e
SHA25641e7f12f9a67cc394bf47a0e38b183e231aff074fb1fc8939508e63b34c57e02
SHA51269f6cc2b2fee08d63b6fb6766329f8330ae41eb79bb600b3a0bd5768c9a924361a720f3c1513fd5e0d5637faa21f573a95fcaf9713e4b4b2e7cb5a79db88be59
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vt6hB67.exeFilesize
57KB
MD5d118d3a0d92179a317a8791db42bf008
SHA15723388f8aa73043bcadb21760dcccd3af4e75ca
SHA256f706f28b8da9b414d8548ef118a4cb12248f50c3e75232d35b4e88c5fa888a45
SHA512cf9c64b28e792e95f8203112e09b0f3501e7fce33905c9a77b94b805901a8f128e9966f1bf3b1ef7eaacc4c941dc096f2828d1d33ba4e6a82c412243fb0f4b79
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vt6hB67.exeFilesize
61KB
MD5b34f06c96641c8e1dfb704e378c9d03d
SHA181bdbde80fdfdc1c73796268ad169f29ac31a7d1
SHA256096bdcde2cbad92fb42020d59d17fa832aeef57a7ab003c9b0e2a09ec40b4860
SHA5129890cbd39a475d00c8fdd1f147f662390bbf49b56d71aac53a9741ff761f69b337bdde3c9e30c9b3fa2096b853b0b9b9c8f16d52e26ee69a218f504c2930ae02
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zC8OV13.exeFilesize
16KB
MD556f8f39345e33e25360175ce4bf28790
SHA1eff0d0f46471e89603ed17d2847f5a361bc1e822
SHA256cff62af48e931f003fe60d03254a4230c06230ee7f5020081d486d01463cc035
SHA5121e6d58da637f0777e23513133399fe2aaa4e662423cccaca2757d040841ffc8c86e4734d84afdae92ed52d050837b05d695c0a54f5e6e15fd163067ba65e6f50
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zC8OV13.exeFilesize
31KB
MD560b57407ecbad05199f6e3e0a41adb35
SHA1e722c7c620cd6a9c956cff1c0568773aaba451c6
SHA25606e6a581bd1b0375aaec3d16532ed7abdc66ab3a2eadc201474a95683a55a2c2
SHA512deadae4f02b6c5fa63ddf5d97841aadc8a6940a308a342b0c033fb8b924debe12089e35eefeabe5d003899494ffa5e3a02f47aaf6cad7f853c04fb4e5b8b67a0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Xr293BZ.exeFilesize
217KB
MD5f4b966cac4297178926570ada530a32a
SHA183496313991e50c1347098958840de49b7562155
SHA2568782c5e3d54b8f49ad28751a3477892bb38745829697ffccafbe23dbd50c58e2
SHA51240c9be49e1f3569d4cfbc57386fec52363949c5db9d52e0e8903a0f2d6da0e4b158badb03a1522643ca88d24253043c2051c438dc438524110801d577c44df0c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Xr293BZ.exeFilesize
115KB
MD555bc89a82e8b23003e91c2aa29fd2fd7
SHA1766312b93c6d3c21e87e0cd143cb5a97bee81a42
SHA256162446258ba8d304a44b3a829f75297b1d95d1fad9d4c3ec4fc48ce92d30d07e
SHA51274a9365dc55b6239ca839276fc81895f0f51fe3d50eb577a209e59994a2892855e177a30903f3db785607cfd1c094dfde8bf5535800adcc73b029dda2a86900e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OC5du66.exeFilesize
24KB
MD5d94fd6e604237b4e5c26971c233e0537
SHA18fd097b4196a02a3bcde59ed3950d91644a2a173
SHA256aad9ca82aab360cd9a062941c78a97f0edd452f5f124aefcf675bc1be7d2cfe9
SHA51280095aa4e7ffaba1f9f2888b3d735ca48a1ac357e276e3c7e8796d32e69003bed1929e5cd3dc05fcf48f30bb5f53494b55ebf7c6dfbef275a38a8e3a56ebd647
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OC5du66.exeFilesize
124KB
MD583065c10809ddc61c308d792e930e697
SHA117312776240a46fbf5f5d3328d5f1d7a4cfa65cf
SHA256118dc63db313961677f9243681ac80a6cc94e935143774b953397204e2a13528
SHA5129c8e4fe461fa5f7cc8dcae4344a1bd293841e86a2ad7b9ee4d8fec2c9815cdfd050c56dd6bfceda1cf8d1a81e141ea548354a9bef01484305b371f4809042994
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KP41vq.exeFilesize
36KB
MD55f8b84b8a2e43b3f3c20fad2c71bef4e
SHA110f397782a2948cee1e2053ef12986dcf0481f20
SHA25695975615eb1d0194e9ed527770f247e241194a3ad66ae2294a8939a216ae3ad2
SHA512dea386a37e7d8780308c2581da4ee4c81ed73bbfde439ff1e0a53fca63cc8dcdd4c478c6e76d98ce566f9ce3925b08647e752e5c1604b951571622553902216a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tr9jI59.exeFilesize
42KB
MD5016d1eceea0af978fe7b9d2f721fec02
SHA16b1f59f40c3961413850581f04e2b8c975cfbf86
SHA256ba7717f8f31e42ec0ae64ca2b98c04eefbbb6054a99a2cb393f83461a03da809
SHA512ded40596e5ea89c0d72bcc6feedf831a95b9307f35b8e3e89337f9b6f3c48c25d62c42fa345057a296e4d34767a52903b7f5efef81dca14c0ece613c4eb972c4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tr9jI59.exeFilesize
50KB
MD5f2732576444cc56bbc435a1a8d4102c5
SHA16a95a5fef97e32fa89e38c3deaa9cf4da652d546
SHA2568c38d5331f41f41b25c7dc6ad142584f477ca3b634852c7b98d0a4dec9990556
SHA5120f173464ccea3d419302e46aae8f623e534c8c701a0294c103549cb55d18b525352c42f1eb3327c41bb3d0f73a2d01fdcc0c94db79a80f61cc8fbfd5da7da7f3
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KS80jL6.exeFilesize
77KB
MD5b688490b4e0109d2d2e05e08d09e5f94
SHA1a8ec97aa7b7705dfd90c7493d54ddd362858aaea
SHA256cffa338fac4a803fd7a5dba184b46da123f2f977b65db9ff2a9992b0d4f6bb50
SHA512b86db2ea0d25fa0ff6e3b37873ab18c226d92f5f2290663ad0338a09efd077ba3866f450a1159b96e16ea3f2407ed97cf877120fc40b1c4e758635e20038a8a9
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KS80jL6.exeFilesize
38KB
MD5f619f25354c0b99779424b2215b80f5f
SHA19e27fb26cfd6f9b1186083e303de9fcb72f8e24a
SHA2564ef519a0c6fdf8a91c3e4fa671fb7579c635b1b905a8c4ab476d713327b00400
SHA512359381702d9a8cec1a02044dea077cf8fdfe7a8ef9f0b247414047a286dddbb6f36844b9346d2e6959d84d8b75cc2d984b3a9d246d4ee030bd913e586e9fe40f
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BK0201.exeFilesize
417KB
MD5e651e08be4bb25f0612150a55ca83200
SHA12dc5a5623b59108aadcdddbbb194a9e4449a7dfe
SHA256805ca87f6097e3d15c3adc1873dfbd0f6ad19dad9d030b7b7f9442152f221aee
SHA512836fc26ef30af042fbf0d1b6a3bb95041fdc337dd4bd37804ce3131bfd84a1f622a8f9c8196e84cd8408d88d5b4b17f1fcdf6fd69c8658c4191ae1efd65eae76
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BK0201.exeFilesize
13KB
MD5405bfd93d9ff5cddc01d14aeccaa24d6
SHA1052878fea34cdb1c5abe63f3779a76828bea434a
SHA2560f097dbd0c9ca1310a0871aba0ab1ef0641d0c54175225072d7cc07b72aeca1a
SHA5125bb5594a26c610eb4bbbf66bdbd31817d618219b5149f7d4a48b2f82f68d144e85d40c1d11844c08f35ca3e44c3f6e2932cd938b9584b19eaffca5ba040226c7
-
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dllFilesize
488KB
MD5ed355c8173eb28499650c5323a372b31
SHA1f2f1de541d5384c59914c5db2aba72bc7666e666
SHA256a0a1a4c300a10b3f8150ffdfb204058ca02cb5950fc272fba0a36339230b8690
SHA512997de4851f13b3beee6310619e53df3d1bc28e7142f48d17f5e5f0c05df1d4fbbb2e15426daf8b483b58de711fba515e43f973fc0a20c41ba8fb840a8e706237
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qhnwcju.j2u.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tempAVSUu4aBy1vDteK\SrpZVvfVtI4rWeb DataFilesize
61KB
MD5c6048f76efd1728044b4f60bcbfb95ce
SHA17af888107a6de948572abc6c543a8e8389877a56
SHA256c139fec9652a3b69ba9692793948f2dd17ec5f9395bbb28c2720edfddd7eab8a
SHA5125b108b7f9e81d436bbde8cc9b45c6bb42c5900a1ab269675b2135b06b035c218e310de1b9a5a08d7a556fc8a63827374b125c60d755a1a44bfd62bc541581b86
-
C:\Users\Admin\AppData\Local\Temp\tempAVSUu4aBy1vDteK\kEzXIqblFnrKWeb DataFilesize
41KB
MD5e9574e19a68f70871fa70ebf7d51d2d2
SHA11df85bd0009de2bcfbf91087ccc7c125ba38038b
SHA25647bbe9aa56cecb897acc05cb1b0b3c613ba907e1df1e3659eb22ca8901934176
SHA512eec2b07ef538dc51d153f0d3cf2973a596150c3721fcbfbfdbc932d639d8b3a33e5994eb7a80d37333a6e22f3496d954d608182b2b9e53cf8ba9859c747cf174
-
C:\Users\Admin\AppData\Local\Temp\tempAVSUu4aBy1vDteK\sqlite3.dllFilesize
9KB
MD5720b4abbb16ddf4e85ff339337023547
SHA16cdfa1db7d28374fce9a4d1a48c327a7abd1649f
SHA2567641c74ae8539195a508eb4d8a7fbdf40ea8aedbcdac00ad653d8dad575175f2
SHA512d9be46292660152bbbfe1426d303ec34ff983b720ff1738b5534dca1edc47d4bbb771f5ae07b085d918ea0b7e7b9d9b2f29c7c41542d5bbb1eb8daf9bbf62521
-
\??\pipe\LOCAL\crashpad_2100_MFLIDXKGMRIUVDQUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3016-621-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3356-474-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3356-476-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3404-475-0x00000000021A0000-0x00000000021B6000-memory.dmpFilesize
88KB
-
memory/4860-605-0x00000000055A0000-0x00000000055B0000-memory.dmpFilesize
64KB
-
memory/4860-582-0x0000000005490000-0x000000000552C000-memory.dmpFilesize
624KB
-
memory/4860-607-0x0000000006CC0000-0x0000000006E52000-memory.dmpFilesize
1.6MB
-
memory/4860-606-0x00000000058B0000-0x0000000005B8A000-memory.dmpFilesize
2.9MB
-
memory/4860-580-0x0000000000800000-0x0000000000BC6000-memory.dmpFilesize
3.8MB
-
memory/4860-614-0x00000000055A0000-0x00000000055B0000-memory.dmpFilesize
64KB
-
memory/4860-581-0x0000000073DD0000-0x0000000074580000-memory.dmpFilesize
7.7MB
-
memory/4860-604-0x0000000073DD0000-0x0000000074580000-memory.dmpFilesize
7.7MB
-
memory/4860-613-0x00000000055A0000-0x00000000055B0000-memory.dmpFilesize
64KB
-
memory/4868-59-0x0000000000070000-0x00000000004CE000-memory.dmpFilesize
4.4MB
-
memory/4868-60-0x0000000000070000-0x00000000004CE000-memory.dmpFilesize
4.4MB
-
memory/4868-470-0x0000000000070000-0x00000000004CE000-memory.dmpFilesize
4.4MB
-
memory/4868-378-0x000000000A970000-0x000000000ACC4000-memory.dmpFilesize
3.3MB
-
memory/4868-82-0x0000000008AE0000-0x0000000008B56000-memory.dmpFilesize
472KB
-
memory/4868-362-0x000000000A410000-0x000000000A42E000-memory.dmpFilesize
120KB
-
memory/4868-42-0x0000000000070000-0x00000000004CE000-memory.dmpFilesize
4.4MB
-
memory/4868-409-0x0000000000070000-0x00000000004CE000-memory.dmpFilesize
4.4MB
-
memory/5392-115-0x0000000004E60000-0x0000000004E70000-memory.dmpFilesize
64KB
-
memory/5392-117-0x0000000005350000-0x0000000005372000-memory.dmpFilesize
136KB
-
memory/5392-147-0x000000006FD40000-0x000000006FD8C000-memory.dmpFilesize
304KB
-
memory/5392-172-0x0000000007620000-0x000000000763A000-memory.dmpFilesize
104KB
-
memory/5392-116-0x0000000004E60000-0x0000000004E70000-memory.dmpFilesize
64KB
-
memory/5392-124-0x0000000005CE0000-0x0000000005D46000-memory.dmpFilesize
408KB
-
memory/5392-112-0x0000000004D20000-0x0000000004D56000-memory.dmpFilesize
216KB
-
memory/5392-146-0x00000000068E0000-0x0000000006912000-memory.dmpFilesize
200KB
-
memory/5392-177-0x0000000007690000-0x000000000769A000-memory.dmpFilesize
40KB
-
memory/5392-171-0x0000000007C60000-0x00000000082DA000-memory.dmpFilesize
6.5MB
-
memory/5392-157-0x0000000006890000-0x00000000068AE000-memory.dmpFilesize
120KB
-
memory/5392-158-0x0000000004E60000-0x0000000004E70000-memory.dmpFilesize
64KB
-
memory/5392-161-0x0000000007520000-0x00000000075C3000-memory.dmpFilesize
652KB
-
memory/5392-145-0x000000007F020000-0x000000007F030000-memory.dmpFilesize
64KB
-
memory/5392-133-0x0000000006330000-0x000000000637C000-memory.dmpFilesize
304KB
-
memory/5392-184-0x00000000078A0000-0x0000000007936000-memory.dmpFilesize
600KB
-
memory/5392-192-0x0000000007820000-0x0000000007831000-memory.dmpFilesize
68KB
-
memory/5392-203-0x0000000007850000-0x000000000785E000-memory.dmpFilesize
56KB
-
memory/5392-205-0x0000000007860000-0x0000000007874000-memory.dmpFilesize
80KB
-
memory/5392-132-0x0000000006300000-0x000000000631E000-memory.dmpFilesize
120KB
-
memory/5392-113-0x00000000736B0000-0x0000000073E60000-memory.dmpFilesize
7.7MB
-
memory/5392-114-0x00000000054A0000-0x0000000005AC8000-memory.dmpFilesize
6.2MB
-
memory/5392-209-0x0000000007940000-0x0000000007948000-memory.dmpFilesize
32KB
-
memory/5392-207-0x0000000007960000-0x000000000797A000-memory.dmpFilesize
104KB
-
memory/5392-228-0x00000000736B0000-0x0000000073E60000-memory.dmpFilesize
7.7MB
-
memory/5392-118-0x0000000005C40000-0x0000000005CA6000-memory.dmpFilesize
408KB
-
memory/5392-131-0x0000000005E50000-0x00000000061A4000-memory.dmpFilesize
3.3MB
-
memory/6032-489-0x0000000075280000-0x0000000075370000-memory.dmpFilesize
960KB
-
memory/6032-537-0x0000000075280000-0x0000000075370000-memory.dmpFilesize
960KB
-
memory/6032-535-0x0000000075280000-0x0000000075370000-memory.dmpFilesize
960KB
-
memory/6032-533-0x0000000000F30000-0x00000000016C2000-memory.dmpFilesize
7.6MB
-
memory/6032-534-0x0000000075280000-0x0000000075370000-memory.dmpFilesize
960KB
-
memory/6032-514-0x00000000089C0000-0x0000000008EEC000-memory.dmpFilesize
5.2MB
-
memory/6032-513-0x00000000082C0000-0x0000000008482000-memory.dmpFilesize
1.8MB
-
memory/6032-512-0x00000000080A0000-0x00000000080F0000-memory.dmpFilesize
320KB
-
memory/6032-511-0x0000000006F40000-0x00000000074E4000-memory.dmpFilesize
5.6MB
-
memory/6032-510-0x00000000068F0000-0x0000000006982000-memory.dmpFilesize
584KB
-
memory/6032-497-0x00000000058F0000-0x0000000005902000-memory.dmpFilesize
72KB
-
memory/6032-498-0x0000000005AA0000-0x0000000005BAA000-memory.dmpFilesize
1.0MB
-
memory/6032-500-0x0000000005930000-0x000000000597C000-memory.dmpFilesize
304KB
-
memory/6032-499-0x0000000005990000-0x00000000059CC000-memory.dmpFilesize
240KB
-
memory/6032-496-0x0000000005FB0000-0x00000000065C8000-memory.dmpFilesize
6.1MB
-
memory/6032-483-0x0000000075280000-0x0000000075370000-memory.dmpFilesize
960KB
-
memory/6032-495-0x0000000000F30000-0x00000000016C2000-memory.dmpFilesize
7.6MB
-
memory/6032-490-0x0000000075280000-0x0000000075370000-memory.dmpFilesize
960KB
-
memory/6032-491-0x00000000770C4000-0x00000000770C6000-memory.dmpFilesize
8KB
-
memory/6032-482-0x0000000000F30000-0x00000000016C2000-memory.dmpFilesize
7.6MB