Analysis
-
max time kernel
109s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
04-01-2024 18:51
General
-
Target
e30d0db830595c6f98a99b0afd3e5ebbf16a0d8d7266ea1e9ccfc68a8fae1a78.exe
-
Size
6.2MB
-
MD5
0b1841ed8d1126006e6c4f2805205ae7
-
SHA1
7797129b4c9dcd445da76ac1328860c01e719b5c
-
SHA256
e30d0db830595c6f98a99b0afd3e5ebbf16a0d8d7266ea1e9ccfc68a8fae1a78
-
SHA512
1bc81abb4ff94c78b1e06b5a3389894a3b586a06f945b046dd1d2d8f4f5ea1ba4268c8dccc939334b97adcf0644afc337c60bff22d182ecb845c23eec8eb8a91
-
SSDEEP
196608:5WOna2XGM3NHiZHxX1MtBq1Y52BDhsS1:5HldsZtqtils
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
LiveTraffic
20.79.30.95:13856
Extracted
redline
Legaa
185.172.128.33:38294
Extracted
redline
777
195.20.16.103:20440
Signatures
-
Detect ZGRat V1 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e30d0db830595c6f98a99b0afd3e5ebbf16a0d8d7266ea1e9ccfc68a8fae1a78.exe"C:\Users\Admin\AppData\Local\Temp\e30d0db830595c6f98a99b0afd3e5ebbf16a0d8d7266ea1e9ccfc68a8fae1a78.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\et9qC29.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\et9qC29.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HK5xM16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HK5xM16.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jp2GG55.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jp2GG55.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IO5Kc44.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IO5Kc44.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nc91eH8.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nc91eH8.exe6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7085239948729625210,4734903014668935545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7085239948729625210,4734903014668935545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8365946f8,0x7ff836594708,0x7ff8365947188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8365946f8,0x7ff836594708,0x7ff8365947188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,448834954842072460,696825383884902310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ng8019.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ng8019.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 30607⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qD23lB.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qD23lB.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4bM458Cz.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4bM458Cz.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qJ8JW6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qJ8JW6.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ju6aN1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ju6aN1.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8365946f8,0x7ff836594708,0x7ff8365947181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6024 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6168 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:11⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,15832723481426732391,12448523202873065677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:21⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4dc 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4888 -ip 48882⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7682258292459277665,16365092605460458974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:13⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\FC3D.exeC:\Users\Admin\AppData\Local\Temp\FC3D.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8365946f8,0x7ff836594708,0x7ff8365947181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD512f5ea17522d20f57cfc7ed287507d1c
SHA1683a34647d67a7f0db4b48c8e5ab2bd96b1ae58b
SHA25625fe9a74a26f05364d78e4fef7962b5509f562c825da977bf6ee46a31e2392cb
SHA5126ba3e8a3b7eb2fbd8edf13571a7a430b334dc86527eb4368ba3b8c2e7bcd24073cca99677ddffa633643046536bf7c7516076a9018f7b3c7c63a9f2a26de67c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53e71d66ce903fcba6050e4b99b624fa7
SHA1139d274762405b422eab698da8cc85f405922de5
SHA25653b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3
SHA51217e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59d1001c750ea00c0e67b76105a505fc9
SHA1f05edef5d87e27bbbc7ff2f3208ce7475d67c08a
SHA256fabc82d38d574fcd30d017a36550bfe8536a2fc709439ca19408dea0e2658475
SHA5126d5a055abd66662325ed2c4b83e2b615524a2b262fc419fca80761f9825d0140a91d6a4c6040613f1cd7b975166ebf73948330cb4cd3466f7b9af3b2f669b24d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ee91880cc06eea7f10a4c0a0be44745b
SHA1600ba94aa7baf0a8f102d8555d597c660c46cdf4
SHA25632bb49e011b55263afee46c59e2831bce85af31039c09871138a60f356a04402
SHA5126b66e1149e7879e89c63d2ae5c5c29d3dacc139d04ecf03c1dab90f4043b7cd44188eb002c7d33f5ec41a9c43975c1b07997c9c321031ab4ac54d4efeeee90cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD59e392b8b823da89f6fabea637af9e0b8
SHA1200fd85311e9046fa07f6557a7cb88a31788728f
SHA256f7ae5c500a72d3dde139d66d0b5577dd33b497aea1a413f34d59e5916a13f18b
SHA5128045c8629e6ce27ffd1280eaf30b85a85ceaf9f35500b298d587467f103091e48ef2d7905f720fe2e5153c97201a9171c89ab01d373860d2cc67bac1bffee08c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD578bbdd1d40c74746ed852d246aef10b7
SHA1ba22ac5066aa91121675d7c8f068a121b8e587d2
SHA256e0e57c7f1da276ee7b363df32337bfc0356f7468d1b6620921ff8fcf18185417
SHA5122b50b3c0b82479da3112664ebc694db465fe8193c2c815ff09927a8eb3ddc6eec0b909f0a244a7927b30ad54127ce928d369dba237d499c043524eb19d4ccb78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5cf8e45006dbb79f3f1c620c1be8b26ad
SHA12a1e51fe346096ac1c2526ecfee6d12d6d5263aa
SHA2567063b861dee2939440af2d118379e5193f4158d38d4bb28f5238137c469471c4
SHA51299340ee794a91a2e7f3195ba7c68d17760d156c7c0d8600dbe04053707090d27b9d3091d67551c219803bb5811c276e453aa97fef9c4f976a6e9099b422250dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD5fe40a164aa34827b357fb872e0b66bd5
SHA18e39b0da4ce79bb59f9472cb448e096cd833fad5
SHA256a920cf0c8a46d5d74839ad50690ff9e30a836006a9a44fb14eacc30bddd17834
SHA512ae06d8338b2aeb5020c042d2444fb0ad024afd032f5820ef9af53661ba4a95149947c4b22d060241c54817909da6f2dc1e7672066991ac2700728a393cb725d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.logFilesize
102KB
MD59ac164b69a313c7a7ffd86232daaa714
SHA156dd74a4ed68ef2d46142a80420446efdbb8b104
SHA256e274f9143932001c8b26fd2479fd4aeae6fb8fa2c7c0246a1f2b021619794e49
SHA51224ed600f9f7d7e6beda7710a3313b8593962aa16db869e438fe83bd219c09c14c628a165a38a26759fffd2cfc31dafd3e22e09c046ac07ad4e13194db0186d52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
624B
MD56d00a93679befc50ae087ee23d1da274
SHA134c809ce904b7d85567b120ec5613e7583900f3b
SHA25629de5f60c27d644b3e4e82b4248465b74f203bfc3d3e9853317f0a3b2969e503
SHA512a3a0fc29a0a4c60949a87dfd3b33abc23cf3300e601fc5a4d040faf503d38cca85a1cbaaafeba1ab75ec54cea858a7685dca92841335486077942e2f9f3789fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5a082747db4d2e0a94121e06fbbed8225
SHA135a87135800a4e5df146aed5f7550e01dcb11ee6
SHA256075fd6fefc74c209aee853a90a7e04aebfba5c7a771700961a9592d1c9a1f457
SHA512e9d889d434e785406ea6df04264f62e54a5fea771978fab288efee481fdd63b7daeb2362c42ac732f5fadfa5285202311c4e7527a957851e48f406ab255825e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55c4fada4726976ae5be2339b7beb5d14
SHA11aa3c99c38a4593da39ce195fdb60ab98e56eccc
SHA2561dc3e54b4a30bf3ffad08cf2ef0604e03ce770d8303b51e56f9c9c66ff223c32
SHA512372986036ea0d12bba0fa1eee062d3f56b1dbdb86de47de474f468846608398daae250f817c37713c8f93ffd136d0bcf72efd2617ce137e5dc43e5357d4d8274
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f31b732caa755c08f507e7b56c0d8eee
SHA1648ac10bf67d716c77c9877a9a8afc79a44bafb1
SHA256c04ee0841036b68a1ef290a4b083817ebc1d42adb9acc70e8343fa43b5e09f82
SHA5123e37828e34ad27fd936719fe029d67646ed8279871a082eb50031782adc35234a08a9d590cc2d8557056b895d38d6dfbe439f0dde2ac6f2fd22967d6e926a0ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD564d6e4e85e6960f38dfca90574df6c04
SHA1afe436be23236e5b012ea1cc392f1b732ea64fb8
SHA25650e130b20edf61135a7bdd3e1793b6edc70f5abc2f481dd2c1902a769103df61
SHA5122aefa2a112267c817b541f02627f523e900d44bfbadc9380901402acf28410709ccd5c5ffa4e768142ec13b959911dee2108cb18a1cb3a6ffa6e4302945ab8ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53597bafc9a0c606b00c4bb63846a806a
SHA19e07e44f7665b987699a8fd4a45c24add5a5fe61
SHA2560361e80192f0b2d7e7f591c831662c8ac44885b9ffe5a31a11e0d5e2f1d0e289
SHA512b2d99d5b62b8223db5d89f8b8b068e6f0b2ef557c8630fd7182531484dc7225c65961e5c32de0691d6f23c78b6f8be1c3ab3a6c0029e0ffa9d2d41370360703e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a12c593c8b968ca9b30d41022ec15190
SHA16df7e69000521f8299fc626ab2d828ec4c681ac3
SHA256dab66cbb794f382a185bebce3a7f84dbd6fe7a2de4c976f387a81cdbfa0939a0
SHA512651762e692d48ef39abeeabb5debc4a4292e033619e30a622c262c5822efc4d42b289cf450b90f4e06c693e25799b3ccab6e22abacece39ab510992b9626668a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51b1b142e24215f033793d1311e24f6e6
SHA174e23cffbf03f3f0c430e6f4481e740c55a48587
SHA2563dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1
SHA512a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\aac6b80f-e0d8-44b3-b706-df1f39e932f7\index-dir\the-real-indexFilesize
2KB
MD51b9152dc6811a5a9b3adf92f05c788e1
SHA199a50bdd97629a2f31b1d72eae808b8f2c820c78
SHA256b758d8dcae8a252e09fa8f213dc7e6a0f7bdeef312aa7991397147f919be06d8
SHA5128f75ea2e0dc6d97e85497379446414c312d5ca5dc96c7c71c6f11e14470277a1fc52fa750d8a8cdf9340ad49c534bb8d49c93d4dabb823751da1f66fa6db49e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\aac6b80f-e0d8-44b3-b706-df1f39e932f7\index-dir\the-real-index~RFe57c5e0.TMPFilesize
48B
MD5ec2a7a95645268fc5821b41cf4f02d94
SHA1476b8080df78180054b47bd819943a2aabac4449
SHA25618533aee3d2c0bb423e2249d24ae3dcff6babcb49556e5c95e74e17d9b873d7b
SHA5120bc94b9a87dea53885ff2d2681f979046208b6435bd2a99a0cd40fef42b992e7764c9e1a2b5651295e8b3f7d54cf246644a63efe4160b762473a4df6436cf5b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD596d8afe55a22442ebf086a95f4dab8c2
SHA17a6f9228350037e131d1b1a75da219307066a97c
SHA256932e5becfc4872f640825f4a58375ff7cb775f8642af4689878a97b6dd24989d
SHA5129e3925be5cee8cd852f2a021e5fad32e562ada568d3e1a462fc1354643af4ad98fdb1045f2dd58cfecc5565d32b293950d58bfcb31d6f4e3afe31a86b70cfc47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5e5b58cd40cdfe0b60483c0f33134841b
SHA14c378707923b12fed6594f8491269408feff4f3b
SHA256c7d106aa7f528c04f9819b2819d487b642009c46a664748ca19865e40b3b9ad2
SHA5121ed86b8fcf01e5dc38bd178dbc07a130ca23827a2e768c509e5853f0aac170d1dbf0c41833a254c4e70306310b4c8c65920b1d7f74fc816fc17b15158cf02dcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD588e7656a59532355f68fc54ef97f7967
SHA168970371e3ee12dcad4d6b0d3fafbc1e6740e40c
SHA256c8a0367ead1238e46adeb9cd127424cb79f1a892b1f2885abd3d779041a34429
SHA512d58d476c6db65dc85755bfa6fe2ddb6d2dc4d22d7b556c976b20fcaae286c7e44ee11ff1618b5f574e0a12cbd01aaa9a6c8c14a0dc4c3b40e1c7ded192aa3ff1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
84B
MD572d3161cf0ea75b6a83977d508322f7e
SHA121f8e7dcc3c3c38e13f9f81820aa8bd5d33d0a39
SHA25676fdc27d9617d4c101fa3cfba7e4f125a6aafed05bf9a0d753ced481e24b1250
SHA5123987a76b84317ffba06d37630cf26a9dbe934d06c244f8eeeb5cfc44017e4118fc8986ade83c385e0968cfb115dcb2631d03474662ffa48f7eab7de0f2606ec8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD52ac4b8985c2b59e3b32c0fa9fac14a8b
SHA18d2702b2f8132b323c89ffb43a95120f4ced704b
SHA256f2e6e6cf458d71593209271d0fd8b325ba3ee0d7cb4610d865dc2ffc897bd646
SHA51250ad17f2e64fd31595d12ecf1d13373a799f2652ba2a9a7c936d3580672cf7becbd92c5d4cdb53fa13c45154f246a895925d1fd0b7ebbf40f91d0eadf1453774
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bf77.TMPFilesize
48B
MD5f8f3d7fd6e4583b107bb6fe7fa9df3df
SHA14a2dbf9aec87f12b9bc57342386459896850c336
SHA2564ff3f49327d3ceb56f1e2aeb0a25271764ccfb3dc1cbd846a2c523fe05b5631c
SHA5121721a68f751447b041e7c7bdbbf35329efc6e0158c687193d4d79b88d441c8b036b5f5c68e68e849feacdefe945bca379533cfdb53f98196bfd58d890977ec62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD52b7bbcdb61267c0340dff162f1685f9a
SHA11ee89590e8861925dca1871db174e0dee8c27914
SHA256c51ab25c729524336c799b77b0b78e0d20c5687a03047b3e901dc81356a7efb6
SHA5128a5e4c7f5120b46e5a44d59f09484a3530da125a4b8f5f465afa21ce862a50bf5094ca8fde0bbf8d76e76586784d8ebc09b82267a2654b8776afc8405885f803
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD52adf05356327f147d0d776af267ba99a
SHA12af38f0ffbccb70f75df93a18108ffdd9d58c27c
SHA2562b6495bb9fd0c21bce3cb797932e00a0074c94c50d73ddc2b45a73b263d9d809
SHA5129925edbef76308727424a37b7ff8c18e0047b1a4feec5494984cf5fa4e3603d8e19b320c5c9f3faa8be28ff2bbf67aacbffa30933f962b55d37261902e85ab70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57af5a.TMPFilesize
1KB
MD54b3f44cb42cbf2015235f85b481118a1
SHA1e8114e293b6f73fd3c013c6146b83ccadbc24e66
SHA25688ffe235bc5f866f64639d748008d1ccdd6fb1ce175bc673295c7cae291e7b2a
SHA51202caed1a410b383d867d6927e1b123126652dde538e7b5db1041e033b0767c7eec397065afaa2647d4a66188be40483b115b4bae0378df737b07f1703184bca1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
102KB
MD51d38f9d4aa8b2aeb9d1b7a1f691a2340
SHA1239947155da1c74c34e52228e70d8554b65c1bdd
SHA256720b0f56a54d4902eea1133b9b0b65ec05d0b7a07b638af115dfa06cb96be618
SHA512e19f2bbaf05a3a7ac16d8ec63b2727aecb4d11f5f3dd9f911315e5c8d00e16e13ef4406a5bff55fd7b177857757a9f0395ed1fc470a8620dc813967c9d0c675e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5a45ffda50c5f748924a7c39182a8951b
SHA1fe54722a2441367d6ba777dc597278617070644c
SHA256533d5aacd86543254e3249fd56544d900e070ed1c14f274c6373179360f4a950
SHA512af718faf75d3e5b140411082bdd923e8e4d222b90ab658b5ea78f767f03f4c675f5f9bdad9cd9dc215ee4fdb914a2b4f5256e89e622471dfcf53cada3f50b28e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5b6b22187a77f04d39f990cfc676e84f5
SHA12f895818d1c8efdc053deac0d27a6c86fb2e9118
SHA25646d3b1d0ff12066ca862db6bc1edbe532085c4f9e2c4e0d06001115f7eb9a60d
SHA512d2c66587e7591921cf09352282748408384008e0ff30148d317993f2c26f9d779387ed3cac20c1d596d0d2fffc955b6b8e3967df584a6e80aa8fd4070d2b132c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD554ce317c292239948fd01660628ae61e
SHA181fd9948a3bd35146f485998e15a1570acc42ad2
SHA2565d7a30f5825ce0167d0df9fa49f44bef5a956e74afe89bbc36f38d14da3ee060
SHA512e770c24236401abde73a894242233fcbfdfdf342b568369321eca9227aaaaf27e447a37af91e50b1e8d22e6ff2758398b0a4435e543f811a3c6520fb40407ebd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD56a89acd624dd09c7fb8e6e57ada9389a
SHA137e23137482b52019125cc8a72a470d4a80ec998
SHA256afa96fc8eb5137e2b785a8d80e617625507844a93232a54f6e07b464fae99dbd
SHA512385063741732ff4e6d1906cc37b210e568cedc1d0132ee256b3e583de435791b9a3d1fd8e4d32e1b1709fe7e82cabde2eb6a9fa2502f5c3530135aec8a854426
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5a40f90af70992b47703269d1fd2c2ddd
SHA19fc37a614e1338056bf913671c99ffcfcea18050
SHA256107df7efa3fa91a768ee9cb18433f035045ea32a4a43f5bdfaccfbf031c173cd
SHA512a79c95724ab2f3f4e16efb4344073da6e20c5200ea891915c09325c34f9b2c6563f254f9734dcae1a8754699f1711e69340bc3ba0c184a647672fbb86f616065
-
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exeFilesize
256KB
MD5fc44619b030973076a537028f5b3f7c0
SHA18e953ea096b02b6d2c27a7ee84bc54214fae2e01
SHA2562d0fce516e92cdf538a888e585553e4d908fb66baeba21cbc0bb676895189349
SHA5121de3a03aeb00d6aecaeb68e7047f7c2560c6acf6da29158df4ac77cea35bf0324f98f76437dea14e5bbca02f739315ffd7d7bd822097a292fb225c5469ad4c01
-
C:\Users\Admin\AppData\Local\Temp\FC3D.exeFilesize
670KB
MD50c201136c5a339180ca35e1f651365dd
SHA1c8f9b59c56fcede3f16c30f2c848b684970399b9
SHA25612eae325c080a9a083ae2d894d57f48c871efa3dde9f2a90f924f368b7fe20e9
SHA5125bb537ccf76970c3fa57b2f78942ad6e8a240cd3bfab2b33d7d964c66d109a20c80182bb7bd6d2e7140d36fd064b917faf8313e116c0c54a4811a10de0c4e15d
-
C:\Users\Admin\AppData\Local\Temp\FC3D.exeFilesize
375KB
MD565c6cdcf3689dc38943bf5b5351fa4fc
SHA157414154a2ff1e51bbd090a4dc7a90eaf3f06e8f
SHA256e2306f28e09107d5c59235c4c6677d04edf20b77681690ac5a6d171e54168199
SHA51222867d518861f2d73ecd8216a47e31d84152d36462cf2652116b0cee08a21fb2a45bd4bfe58a0df554e87fdc7537d0a88618724d8ddcd408f89603ce44f1f42b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ju6aN1.exeFilesize
405KB
MD504655d87e88a47178a3dd125b271b8ea
SHA133e157c841173fd21671d4fe3fc5ef6e4b45a918
SHA256dceb5c14d4ee240b63ac3fc24885664359e3267c323597b628de11bc517bf056
SHA512effac273fc7d3fd2bcdb2b83157c16180cf3ad051869ef1b6b1413eb4466e0f7ebf0f9df09a4924cb8f357b3c92872f9cf40c90df418308769eb829a5e966094
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ju6aN1.exeFilesize
160KB
MD58f85234508005f3a90987821c01916d8
SHA1fc79a84167403eb8a9dd344582e678f17a3fdbe4
SHA256ffcf9c53a227613c303d055fc90e6eca3c7adeb9ae9d2691e99904b988f447e0
SHA5124a46ce240b99143920ef369d869059c22f1b2ccc3ebfa6f69722040c613722cdd2e3dd3b1759da59c21a49a4b73011011608803d936fc29d3e2bb1c58c271e4a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\et9qC29.exeFilesize
1.5MB
MD570d0a19cf6f2d82c0962b294f0f3c78b
SHA1717fa5d141f26b87a34980dbbaa22a9cfaa60531
SHA2562c45576d60ee63fc52b6285e0634ee2cedb84cbe715129dce151efd72f7c0abd
SHA5128ef261e87e0ce79e643dd60b3bab9fd9c80bd51cbb02eb203723ddc0e5aaee8168b82075bf07890b9ea8a41cc7a392d21e9a26d8aab70ec1f8a386b2d39ffa55
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\et9qC29.exeFilesize
1.5MB
MD53e0aabdb5c89cb29639633f321f0f6bf
SHA10269cf15ef7dcd1b7a1b9a5315ce3528590d192b
SHA256e69ad03217f96a2bc630d8318e779ee7069554f0cabda0626bd9d546e920b08c
SHA512706beb7c78d41bc5f628d66c14e33d7d4b260556600768089d6b3051bf68a5007b74b5b45f430527fc159195e385f922038c5ccb68c2ee1ec22b28dbb1b12d3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qJ8JW6.exeFilesize
65KB
MD57cdc1d027f2c57deb294e403a8a20f93
SHA119c2905107d6eeae29269ca4192266eeb1f437cc
SHA25659e8866721ba30272c702f997c588b94d1397931c1d0a72f5fceee8952a61d2f
SHA5123b7a940a81ff6c7543ac58b310ab49e0fd205be3c7ee2f3b8cd5edf4990a757bc19a897ee158633f78f6e8ac3e804250c29a1320e59809c99d7878d8c120d790
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qJ8JW6.exeFilesize
24KB
MD5aa62b8957de23f34fa894862d7a635e5
SHA16b5469f55d3b49cb737f7a0b78921016840baf26
SHA2561d204a9ea8c914a8bd0d63352577c610cb70abda3f10e35f9d2900fc9c57d492
SHA512e7b0e2a5cdd5c9b721f0295a6f1df2de5389da98748be2539e84bd9d248a12ca803c92635f8fdfb57e9a7ad67311e56d58483fef8ea2a878c86dd8f53cfb3ab7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HK5xM16.exeFilesize
376KB
MD5e978246aec6afb0dcc08c7de3e7f2879
SHA161a68cff9a69eafb342e01acb154027905d6e5c9
SHA25610e8f93569d5e9f101e407c788a75c29eff74bcf721dff06d5ada6fbf1c1665f
SHA5122f7a910aca7f15cd9122ca36a881f7a13d6e08e6f32a539e5e3e0f6d9a2d3915d6f8dd2dbaac8c7036c43aea35c719ca15c50751a83aed703c5432cdec7a6549
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HK5xM16.exeFilesize
1.1MB
MD5d00e92106cc4125460eb3ed98991ad9f
SHA173cf35f1a7a7e7c9c9c872de7e8280c1e00a0236
SHA2565bee0e3a4a1daa1fca68ae6dfb215e51ed14f076cb4d04f45bd86a7a5e8790eb
SHA5121acade0da88eaae5a0908d5a3065990a055c9ef9a434aa5ffc0fc2c148af69c1150ec98248a1644d79f83653aedca97f010c896a2719c74a4edc6e6cf47e4b58
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4bM458Cz.exeFilesize
320KB
MD5818b3bbb23e0a6075339b8137cc39b44
SHA1866404b1a458ff7cb9eb588581cc538f3789c3b2
SHA2561df338e329bf8b771324f33051ebf3a371b2ef9c132bfe57156b10662ff16871
SHA51248b72168f62570874b2cb43baf8c7870ca9e342d6e88bd246e054fa48dbd87c4e20f5d5bcba2751b1e5ca73c2911c8f37eb57be1024ef898eef9c3ae8b5ef397
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4bM458Cz.exeFilesize
415KB
MD55acf33306b12cca9f58d03f3b0a29ef5
SHA165a0aed0d638b244af8ad8a91cdf487d983426ba
SHA256c406333cd1461e969679851cdec89d5994a3370f87be6a81bf04c6939cb08e88
SHA512c6296f96fc3da5a9aac810b81eaba58d98850283dfa2b8e631096476e796751a24806cd1f79f673896c98e692d150c95c056ea12a8128f9fa1333a944193bf29
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jp2GG55.exeFilesize
1.1MB
MD564f998498aadf62dce7b6de47f38b61d
SHA11ec145962db1fa082474dff0ad4a92f5738ebf5a
SHA2564ec31b32d1831d8f8513a1c48b5370e92a9561314b55f2f2ae18a53b824dd189
SHA512fd798480b0319cce453ed9d4fcb31bf0190bd65a136226f1e2c90193219622e0523b77c787cb64b763d8a5c5d4a7f99ecf6ac88b0d424e06fbdc588405eab8dc
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jp2GG55.exeFilesize
638KB
MD5df31e77820a7552afa1c3c429e7b5fb3
SHA1a7b0fa6336a7831a7ff5107d103962d8be8b6e89
SHA2566738eb948ca1c44cc2c4dcb4c0501fb1e93e345429292fa235780a41f5bdd34a
SHA512ab08a8440511b761ec2e6047baf65005275926e2e116bd65f7ab0b4640347ef669d8aff6cfed324d37a9aed970dbe0c758480cb4effb3ef10377d269ec1a5a9e
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qD23lB.exeFilesize
36KB
MD55f8b84b8a2e43b3f3c20fad2c71bef4e
SHA110f397782a2948cee1e2053ef12986dcf0481f20
SHA25695975615eb1d0194e9ed527770f247e241194a3ad66ae2294a8939a216ae3ad2
SHA512dea386a37e7d8780308c2581da4ee4c81ed73bbfde439ff1e0a53fca63cc8dcdd4c478c6e76d98ce566f9ce3925b08647e752e5c1604b951571622553902216a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IO5Kc44.exeFilesize
717KB
MD5b6ac6b4ef47477e456b186f7d3ce7df1
SHA1ea0fa2e9c45792f049eccc8999ad52b92b0d4f5b
SHA256fcbcd4eabc31e6495a5b75177e7cd7e0918728b67daee055011f66c7a12d2c83
SHA512742a029b8cd6bb375258316db257efb2d7e1422e6dbdb5f751c656ba55165bd75cfd2e3500de7c646802464eeac4d9cfe90546c22589eb41dd7aeae4963154e4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IO5Kc44.exeFilesize
1.2MB
MD532910a3d7319d9f4f3c3ba853aee6fa7
SHA1344eaad4914327e8d95abf8196e97013ff4155e9
SHA256ced8ba1522f4654bf65bae3f7bdc93840d343e5cdba4283e8954cccdf9d76bed
SHA51226500de1d664dea7ce75c8fdeb9017eb1eb2cfd913e8ea52e0a68fe92ead2cbf5f4ad5962e48d6f7a54d5fbbd929475963cac7982bc832e2bb274b0665fc42c2
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nc91eH8.exeFilesize
789KB
MD50f88c17ab51dc9bc8225ec3e31306d1f
SHA17e87ff2b514596d0afd620f0cf35996e4aedda94
SHA25675015f50bcaaaa6ca4e4f5b434e0548e6413d665b14d3b34f1ba714d42e09fcc
SHA51296ad9fa3befad7d256b083d56c7c42c62d63e946f19e253b28c777a9ed92abe4a4e6e52e5ca4e0a08de44e4a678a53cba1a5f37271f7512596215efc59ab810a
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nc91eH8.exeFilesize
660KB
MD55ba28601767ea4f94e675cf0f608c36c
SHA1c86bad8080b7ca12a867d94d3dc60b32de6437ef
SHA256e99e8304a04803e95e5bbfece9509d8333ed8b3ad83e4b05a459e9e1e56fd1e0
SHA51215153cf60974c8da1a7290ca318b8fdbd764753abd863af2fbdd72903cd048f74d6aa0d447e035b380393ba660afb3c8d05e92002bb7331470fd59d38789fc3c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ng8019.exeFilesize
57KB
MD548b2fa65d10d9bcf8293fa3dfb941a6c
SHA1bea172b6261928ab89ecfa4fc8584d78655c751e
SHA25641e7f12f9a67cc394bf47a0e38b183e231aff074fb1fc8939508e63b34c57e02
SHA51269f6cc2b2fee08d63b6fb6766329f8330ae41eb79bb600b3a0bd5768c9a924361a720f3c1513fd5e0d5637faa21f573a95fcaf9713e4b4b2e7cb5a79db88be59
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ng8019.exeFilesize
344KB
MD5308480ba82284de5f1ddcb2dd531d1a1
SHA11bc3dd1d51c288d640ea1d4a0b94778f2271a1c3
SHA2564c9528df6c28f50d91ea79d83af915e2fca482f6991a688f9ddcf6cc13730d33
SHA51250fa855dc5a84e2a5967cd20cab84c46b99de73d16c63b0755abbf818fa7b0f20fd9b15638075c61f6b1054663ce0c4099eab25b96407a2b0ac9627c874907c8
-
C:\Users\Admin\AppData\Local\Temp\tempAVS77pEwETWfYcP\MJHfNbk6XdXoWeb DataFilesize
116KB
MD55287eaaa4e173ee51e7c3ccab2a68bc0
SHA181242fe25182d5699832dea0a3a6ad30949f4897
SHA2562771e6725502404863150976eb9a384138331cb7cb1a17657c6b0be1249af5c5
SHA5121aba5bc877081c7aaa53ddcccf4a549e0f4ad73a5821d5640a479961144f7a56c0c81dcf71890bff713bb16a0e8b60b50e48a88ea87918f07fcc5596dcabf6d3
-
C:\Users\Admin\AppData\Local\Temp\tempAVS77pEwETWfYcP\oym0O0y0hmiZWeb DataFilesize
92KB
MD5c00f3970108a8af891b5768c37ef0b63
SHA1cf5e378a5236a9a015fa5617a303f9a5a296e645
SHA256d1edb25dac788ec78d570f905d9c81651b4229228272b3ebc64d20b3ca8c6d43
SHA5127542d99357fab4e243caad174e1f1eb172c334ede37af2e32f49bb30fece84599eb28bea005eccd920d5903a85dbe4bf56a55f8d87f29eaab6187a72d15be93b
-
C:\Users\Admin\AppData\Local\Temp\tempAVS77pEwETWfYcP\sqlite3.dllFilesize
147KB
MD59bfa44ea379f63eccaa422d1ffcebc6e
SHA193a08829de5672e646b4e54ca9f907d9a16da790
SHA2566ca7c9daa0a72f2150663a5651a3c22af6359b08e813a257d3a72c2d40a9289d
SHA51266ebb0311f3fa7c8caf1d7ce4afc4c22e11dfe5636fad9d5f7f58a9e2f61f5305c6200d587085c8f92ea220a440c961b38c3a9f74bc872461cefb7f321e6823c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeFilesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
\??\pipe\LOCAL\crashpad_3380_XQQYAVKSQSBVNJZSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1524-576-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1524-598-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1952-728-0x00007FF831280000-0x00007FF831D41000-memory.dmpFilesize
10.8MB
-
memory/1952-726-0x0000000000040000-0x0000000000048000-memory.dmpFilesize
32KB
-
memory/3424-597-0x0000000002D40000-0x0000000002D56000-memory.dmpFilesize
88KB
-
memory/3620-186-0x0000000002F60000-0x0000000002F70000-memory.dmpFilesize
64KB
-
memory/3620-133-0x0000000006280000-0x00000000062E6000-memory.dmpFilesize
408KB
-
memory/3620-116-0x0000000005340000-0x0000000005376000-memory.dmpFilesize
216KB
-
memory/3620-117-0x0000000074140000-0x00000000748F0000-memory.dmpFilesize
7.7MB
-
memory/3620-120-0x0000000002F60000-0x0000000002F70000-memory.dmpFilesize
64KB
-
memory/3620-119-0x0000000002F60000-0x0000000002F70000-memory.dmpFilesize
64KB
-
memory/3620-118-0x00000000059B0000-0x0000000005FD8000-memory.dmpFilesize
6.2MB
-
memory/3620-207-0x0000000074140000-0x00000000748F0000-memory.dmpFilesize
7.7MB
-
memory/3620-121-0x0000000005910000-0x0000000005932000-memory.dmpFilesize
136KB
-
memory/3620-143-0x00000000062F0000-0x0000000006644000-memory.dmpFilesize
3.3MB
-
memory/3620-126-0x0000000006210000-0x0000000006276000-memory.dmpFilesize
408KB
-
memory/3620-146-0x00000000068D0000-0x00000000068EE000-memory.dmpFilesize
120KB
-
memory/3620-147-0x0000000006900000-0x000000000694C000-memory.dmpFilesize
304KB
-
memory/3620-196-0x0000000007F20000-0x0000000007F28000-memory.dmpFilesize
32KB
-
memory/3620-174-0x00000000707D0000-0x000000007081C000-memory.dmpFilesize
304KB
-
memory/3620-195-0x0000000007F40000-0x0000000007F5A000-memory.dmpFilesize
104KB
-
memory/3620-172-0x000000007F550000-0x000000007F560000-memory.dmpFilesize
64KB
-
memory/3620-194-0x0000000007E40000-0x0000000007E54000-memory.dmpFilesize
80KB
-
memory/3620-193-0x0000000007E30000-0x0000000007E3E000-memory.dmpFilesize
56KB
-
memory/3620-187-0x0000000007930000-0x00000000079D3000-memory.dmpFilesize
652KB
-
memory/3620-185-0x0000000002F60000-0x0000000002F70000-memory.dmpFilesize
64KB
-
memory/3620-184-0x0000000006ED0000-0x0000000006EEE000-memory.dmpFilesize
120KB
-
memory/3620-173-0x0000000006E90000-0x0000000006EC2000-memory.dmpFilesize
200KB
-
memory/3620-192-0x0000000007E00000-0x0000000007E11000-memory.dmpFilesize
68KB
-
memory/3620-191-0x0000000007E80000-0x0000000007F16000-memory.dmpFilesize
600KB
-
memory/3620-188-0x0000000008260000-0x00000000088DA000-memory.dmpFilesize
6.5MB
-
memory/3620-189-0x0000000007C00000-0x0000000007C1A000-memory.dmpFilesize
104KB
-
memory/3620-190-0x0000000007C70000-0x0000000007C7A000-memory.dmpFilesize
40KB
-
memory/4016-733-0x0000000000FA0000-0x000000000100A000-memory.dmpFilesize
424KB
-
memory/4016-735-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/4016-736-0x00000000059C0000-0x00000000059D0000-memory.dmpFilesize
64KB
-
memory/4016-739-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/4016-734-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4032-801-0x0000000000D00000-0x0000000000D52000-memory.dmpFilesize
328KB
-
memory/4888-483-0x0000000009CF0000-0x0000000009D0E000-memory.dmpFilesize
120KB
-
memory/4888-488-0x000000000A300000-0x000000000A654000-memory.dmpFilesize
3.3MB
-
memory/4888-572-0x0000000000090000-0x00000000004EE000-memory.dmpFilesize
4.4MB
-
memory/4888-53-0x0000000000090000-0x00000000004EE000-memory.dmpFilesize
4.4MB
-
memory/4888-311-0x0000000000090000-0x00000000004EE000-memory.dmpFilesize
4.4MB
-
memory/4888-64-0x0000000000090000-0x00000000004EE000-memory.dmpFilesize
4.4MB
-
memory/4888-564-0x0000000000090000-0x00000000004EE000-memory.dmpFilesize
4.4MB
-
memory/4888-79-0x00000000084A0000-0x0000000008516000-memory.dmpFilesize
472KB
-
memory/4888-565-0x0000000000090000-0x00000000004EE000-memory.dmpFilesize
4.4MB
-
memory/4992-737-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4992-741-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/5500-856-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5784-794-0x00007FF72C8B0000-0x00007FF72CB45000-memory.dmpFilesize
2.6MB
-
memory/5784-802-0x00007FF72C8B0000-0x00007FF72CB45000-memory.dmpFilesize
2.6MB
-
memory/5908-608-0x0000000077B54000-0x0000000077B56000-memory.dmpFilesize
8KB
-
memory/5908-605-0x0000000077990000-0x0000000077A80000-memory.dmpFilesize
960KB
-
memory/5908-626-0x0000000005D90000-0x0000000005DDC000-memory.dmpFilesize
304KB
-
memory/5908-607-0x0000000077990000-0x0000000077A80000-memory.dmpFilesize
960KB
-
memory/5908-606-0x0000000077990000-0x0000000077A80000-memory.dmpFilesize
960KB
-
memory/5908-646-0x0000000007340000-0x00000000078E4000-memory.dmpFilesize
5.6MB
-
memory/5908-651-0x0000000007280000-0x00000000072D0000-memory.dmpFilesize
320KB
-
memory/5908-729-0x0000000077990000-0x0000000077A80000-memory.dmpFilesize
960KB
-
memory/5908-604-0x0000000000BB0000-0x0000000001342000-memory.dmpFilesize
7.6MB
-
memory/5908-625-0x0000000005D50000-0x0000000005D8C000-memory.dmpFilesize
240KB
-
memory/5908-647-0x00000000078F0000-0x0000000007AB2000-memory.dmpFilesize
1.8MB
-
memory/5908-645-0x0000000006CF0000-0x0000000006D82000-memory.dmpFilesize
584KB
-
memory/5908-664-0x0000000000BB0000-0x0000000001342000-memory.dmpFilesize
7.6MB
-
memory/5908-727-0x0000000000BB0000-0x0000000001342000-memory.dmpFilesize
7.6MB
-
memory/5908-612-0x0000000000BB0000-0x0000000001342000-memory.dmpFilesize
7.6MB
-
memory/5908-613-0x0000000006430000-0x0000000006A48000-memory.dmpFilesize
6.1MB
-
memory/5908-614-0x0000000005CF0000-0x0000000005D02000-memory.dmpFilesize
72KB
-
memory/5908-624-0x0000000005F20000-0x000000000602A000-memory.dmpFilesize
1.0MB
-
memory/5908-648-0x0000000007FF0000-0x000000000851C000-memory.dmpFilesize
5.2MB
-
memory/5908-666-0x0000000077990000-0x0000000077A80000-memory.dmpFilesize
960KB
-
memory/5908-667-0x0000000077990000-0x0000000077A80000-memory.dmpFilesize
960KB