Analysis
-
max time kernel
51s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-02-2024 23:09
General
-
Target
b32354d965a129dc2099b47162527b23099f9da764682842c8a19ee19a7ebc5a.exe
-
Size
1.8MB
-
MD5
ac51ee0e52400f38fc8c060bf167ce24
-
SHA1
ce87129bc861c940da511a4d3ad5f6fbfa88b865
-
SHA256
b32354d965a129dc2099b47162527b23099f9da764682842c8a19ee19a7ebc5a
-
SHA512
34662b996abe4ab2de7cc1ace8ee693f31bef918ebc04ef90050b4188fe08838f0eeec7c4078560d3498cf18f0f37de041b4a3e30ee9057a36ee231b1b8da8b5
-
SSDEEP
49152:a31BbN39HgS3S5MTSbYHR5Be6xoZQBi1/aXW:a311Ntg95MTqYvFo2i1/k
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
http://193.233.132.167
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
new
185.215.113.67:26260
Extracted
risepro
193.233.132.62
Extracted
redline
@RLREBORN Cloud (TG: @FATHEROFCARDERS)
45.15.156.209:40481
Extracted
redline
@logscloudyt_bot
185.172.128.33:8924
Extracted
redline
LiveTraffic
20.79.30.95:33223
Extracted
amadey
4.17
http://193.233.132.167
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
lumma
https://mealroomrallpassiveer.shop/api
https://gemcreedarticulateod.shop/api
https://secretionsuitcasenioise.shop/api
https://claimconcessionrebe.shop/api
https://liabilityarrangemenyit.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 4 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 9 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 20 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 45 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\b32354d965a129dc2099b47162527b23099f9da764682842c8a19ee19a7ebc5a.exe"C:\Users\Admin\AppData\Local\Temp\b32354d965a129dc2099b47162527b23099f9da764682842c8a19ee19a7ebc5a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000253001\dota.exe"C:\Users\Admin\AppData\Local\Temp\1000253001\dota.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1000260001\new.exe"C:\Users\Admin\AppData\Local\Temp\1000260001\new.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000262001\for.exe"C:\Users\Admin\AppData\Local\Temp\1000262001\for.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1000264001\Amadey.exe"C:\Users\Admin\AppData\Local\Temp\1000264001\Amadey.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exe"C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 8164⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\815711207184_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exe"C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exe"C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000270001\RDX1.exe"C:\Users\Admin\AppData\Local\Temp\1000270001\RDX1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000271001\daissss.exe"C:\Users\Admin\AppData\Local\Temp\1000271001\daissss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000272001\newfilelunacy.exe"C:\Users\Admin\AppData\Local\Temp\1000272001\newfilelunacy.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exe"C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nine.exe"C:\Users\Admin\AppData\Local\Temp\nine.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "nine.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nine.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "nine.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 4924⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 3724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 3884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 3924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 6804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 8164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 8884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 9204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 9044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 6444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 8884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 9244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 8964⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 3405⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 3445⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 3725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 6525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 7005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 6645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 7205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 7405⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 7005⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 8685⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2686⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 3886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 3926⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 6846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 6966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 6966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 6966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 7566⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 7806⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 7646⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 8966⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 3484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exe"C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 10924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 12124⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000276001\File300un.exe"C:\Users\Admin\AppData\Local\Temp\1000276001\File300un.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1392 -ip 13921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2380 -ip 23801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3044 -ip 30441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 932 -ip 9321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 932 -ip 9321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2824 -ip 28241⤵
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1000019001\goldman1234.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\goldman1234.exe"2⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\815711207184_Desktop.zip' -CompressionLevel Optimal4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1512 -ip 15121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2352 -ip 23521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
2KB
MD51305705ab4eb7a8ff5a73874670d91f4
SHA1a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA51227ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b293f105d36500e347b423351d8efcb3
SHA1b79867b94180b79f579247f03c0ed05f0941bf44
SHA256c5f9b82ffe4548e7b2172a8253e7c73b6421d3c85c4e2f46347edf9ca39806a9
SHA51284c86521498aead654e9adb0ea89d9a9894251850a30c0189baaeca0fbd8bfd9aa24e3baf155ec1975e3a45f8b78d85fa7369215721da2899fab768629a38d0e
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD5ac51ee0e52400f38fc8c060bf167ce24
SHA1ce87129bc861c940da511a4d3ad5f6fbfa88b865
SHA256b32354d965a129dc2099b47162527b23099f9da764682842c8a19ee19a7ebc5a
SHA51234662b996abe4ab2de7cc1ace8ee693f31bef918ebc04ef90050b4188fe08838f0eeec7c4078560d3498cf18f0f37de041b4a3e30ee9057a36ee231b1b8da8b5
-
C:\Users\Admin\AppData\Local\Temp\1000019001\goldman1234.exeFilesize
2.5MB
MD55f4f97f402bcd5935346a94e47299ec1
SHA1554b5d093fe36d58011c6f20b7fa27cf35f9bf20
SHA2567c5db88208d7506a8d72d159d347e74e3cc49828d7596f908b1ce3a7ed10a2a4
SHA51226423c12371cdf1f21386c9646f93fcb74f341efc7fcd4fe1c4911f6d2fc90b36473f4a11ccf69006311a48eb4b7eaad8aedb4322f087ec5d3e484e28ce51826
-
C:\Users\Admin\AppData\Local\Temp\1000253001\dota.exeFilesize
3.0MB
MD51963fae4055ba84d7f49e6bfc8b218ff
SHA16a8c1f0ce6d86c7a3f7f7c4b989e4ef1e4e3257a
SHA25699ea74b35886fa44298a9df2054d592894c5b6eaf29c9bbf2ecb557595866e76
SHA512cae83952e663d4b957a14458efd0118c0bf5a56bcf7807b0d97218f70787b4dc529504cb81dd6c480af0fbc92da84becf67adc7894086b820f288f4bab87a717
-
C:\Users\Admin\AppData\Local\Temp\1000253001\dota.exeFilesize
1.6MB
MD516bb23a7a7c6edf536d082970d6abcc9
SHA1ac1e98a01f8c5639e81c094d4abdd3c726041640
SHA256a21b38438e99a9b2bc960ef53c4298d6d8576a351a6314b469dbf8030cad6ef6
SHA5121b352d61fb512c6b93924b3d178b497df4c5be0be605ac3146fd315e550b6200936766637f580ad7965d5e426d8d9a95be79626cb970ac721e2977ed8b252e91
-
C:\Users\Admin\AppData\Local\Temp\1000253001\dota.exeFilesize
2.5MB
MD53f23bb52ef7f6a295df8978600c8d88b
SHA11687c1e82fb3ba6fea38e95b84914cb785b0a1cb
SHA256c394fcde4d7ea245fe37d1677048a193a8938a22b5a7f1eb8c26806bafaf2b3d
SHA512da0cfba71e2215ec9b5340b3e666944789c0d86bf51f3a8578159ee8b54086ff3e8af8e336fd1c04b777e55fe66e00e53fcc5579b57b43414bbce1dcf0be6eda
-
C:\Users\Admin\AppData\Local\Temp\1000260001\new.exeFilesize
256KB
MD5cb8a6c8535bcc5d41f78069e12dca14e
SHA10fafa6c9f072a611e1e39ad71c3b13fd26c4d8fa
SHA2561b8572fd216d6ffb4ea471c3ddac2531e4536bf022ea8724e1ec9f221219f963
SHA512d0e1b25753f9e6c0cd0297ef4007d282973fc798902c52a1f896db9fa10c0937cc591b07e31c22782443d17319eea1c65dbd3fffe1b9537efe648ea184b9732b
-
C:\Users\Admin\AppData\Local\Temp\1000260001\new.exeFilesize
313KB
MD5f7df4f6867414bb68132b8815f010e4a
SHA1ff3b43447568de645671afb2214b26901ad7a4fc
SHA2562c9490406c7ea631dddcd60f862445faef37c036651636e4bf5e6fe0837c4b42
SHA5120ad9b1544c25ae7814fe1ecdb1cfd466fd14603a6d55749e63ce6b90926ad239f134aef1bcaa0910b79235b8a3873ad11698e17dbd0cfee92fb909f4daf0412e
-
C:\Users\Admin\AppData\Local\Temp\1000262001\for.exeFilesize
1.6MB
MD58c281571c5fdaf40aa847d90e5a81075
SHA1041fa6e79e9027350c1f241375687de7f8cba367
SHA2560182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409
SHA512b0e481681b02e4cc4f95deff2fa21354f94ad34e6611d97de3a127ae285038164df724f3db27bbf03caa217c3d8dabf77bfdadeaf9af8a1915edacbd35c1c862
-
C:\Users\Admin\AppData\Local\Temp\1000264001\Amadey.exeFilesize
64KB
MD5e6eab6f08291ca25e67066b153f8b3df
SHA180dad63bdad767b16d917ad37d2a07673c61ad9a
SHA25693cbf61120a10aa3a40ad15fe2023d9e32eeb53bdb85fe14fa620b38cdbe644a
SHA51254117b3a114ee2f00254d5490c6e88033803e6da6f93ea5f585a4e7884b227d3229b12fac73684398566da34045bd0133b59a33666fe14249e73b1a242b4c1bb
-
C:\Users\Admin\AppData\Local\Temp\1000264001\Amadey.exeFilesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exeFilesize
698KB
MD5bf2a3e48b0ea897e1cb01f8e2d37a995
SHA14e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA51278769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91
-
C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exeFilesize
64KB
MD54b54f08bf45cb47b357adb58dff0b5f3
SHA14da7b901e1b55810cd82f392458ade1e7fefb1da
SHA256ef550d03d8e495c366e2d66a0ded4c7ad9873853d61c6e4d3d2ee660550beec0
SHA512e8dce824b52e9ac50645e2487e2ca1b26fecb992dc58ef23892a77b653f40e3074e71ad3d9e7589bae6afb1e7832bd17eb83cabc864009faff716faae6fe53de
-
C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exeFilesize
2.4MB
MD5c051c4b05763c7ba84af11eebb4a708e
SHA1bdd528fe67e77d788656cb7de49b347a0d4ec8d6
SHA256a414fa030bc97c5e07898dffc421fff2bff43a1bab257b0520365b09b549877d
SHA5127c4fffdb887e12b0174f49758508ff9680b5a5f3b67301a292f13c62ab2e629f326c2a6a738ddb5250f2e252943b2ec102b6d56c0617828ce2b863c5a947c0b9
-
C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exeFilesize
1.6MB
MD562c7c21b4fc36e78bcb21613cdc94285
SHA151c9b3245f421fbc3e3a9dfea3289710a123d981
SHA25631193be3bae3ffc5509f198090975672d8d9cb5426a4ba1932732944b9474b0f
SHA512e986639ac26df8b77ba97e52e2011c2aa3143d1df9c625d5a6c66a4bebb0b992ec11b2927aaaab324b9021b4d359ff699b7d5c4b257aa4e99f3ba7708ba012cd
-
C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exeFilesize
1.8MB
MD53f8871042f10d6ea69097a4cde49fedf
SHA13c0db53e916eff38b8ef71621a5b8c99d862992d
SHA2564a9c70ce8b6e122e20ba8981acdb71f6ce58024cfd7f9890ab5286eb5f527fdc
SHA512802b406c638a6bb792c821726195e8edf40fc5c40200f1485bc8f19b90684a4682eac726dfc860691aa61133138d17f9d7e873cf5f4051457df4c07bca9c36d7
-
C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exeFilesize
473KB
MD53f049cf620677b51325e05a0d50b69ec
SHA165166e6999ab77d8b32bd39b46f5bbb9dff70e3f
SHA2566fff17483379f7962982c0fc6f593694c67389d1257d683b5d62fa72b93361b2
SHA512afe20976e9f7efd36ac301ec6629b7aab6479864fea137c76bc976bfe504d8e894aa6fba590c2fd6c2cf061118e070ae5a276e894c8941adce7588609c7a1ec4
-
C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exeFilesize
448KB
MD515c28d31962e6cc833b7ba48744bce60
SHA108951e8ab8befb219a4ea44e6a2c7446470a23d3
SHA25636171d2300756bcc87db9d60cda54fc481177bd212597054de2443e27636d957
SHA512b977a19096d51a6e4654edaaac7b6555dff77cb8f73718fe508b4103db471015fdef3b5e5fbc0f9f57446979f41cd244f74944441273186cf978950f116ca3f3
-
C:\Users\Admin\AppData\Local\Temp\1000270001\RDX1.exeFilesize
313KB
MD5a98147219e118138a69583d2bf4b4a4f
SHA10933d682bc3d11a1468fbca7c863a5c1619b06ed
SHA256aea02ed572705a2cb522550f31ec39cf0781b90d5ea6f58686f60bd7c91e52c2
SHA512719e73b5341d7c358439efdcf9d479c68bd7d0a67a77fc190e187a1dc293f4791357e509e08b94156b71b9bcc02c4ab5576f4f67a25da7ea4d5a026ae4f86266
-
C:\Users\Admin\AppData\Local\Temp\1000271001\daissss.exeFilesize
421KB
MD510a331a12ca40f3293dfadfcecb8d071
SHA1ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA5121a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399
-
C:\Users\Admin\AppData\Local\Temp\1000272001\newfilelunacy.exeFilesize
539KB
MD5c1982b0fb28f525d86557b71a6f81591
SHA1e47df5873305fbcdb21097936711442921cd2c3b
SHA2563bab5e1befbdc895d9e36e76cb9a40e59de61a34109c36ed26d7dedcd5db3080
SHA51246dcabbfb57b3665faa76bc6f58b6f252934788acabbf2ba75263d42cac8c013f6feb5992a7043123842a609bdd1b3084f2f0c8b192c2b219b87274d29f8c432
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exeFilesize
640KB
MD57a14fa95453ca221b130123bc01788c6
SHA15ff62236cf3399928f66b5e83544abaf089f55df
SHA25665e6a8ef82faa0e1e3cb15218fed42fcbbbfbdd4a62f3fc5410cfda662a25488
SHA512ace4abcc600e7a23dfa1caa33a6038f63595e2c81c14856b8fd25181c9d7f5d8238826be887a00789eb4492ab0942fff0cecdd0dd2c79cce46f4af432adc365f
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exeFilesize
192KB
MD5136d197b4eaaf1c94f32f6df59606a42
SHA1d2e0cb12f524df821262b02303adb30123738837
SHA25634c3a7441995069a132e356b3fa88a27dc804a4547f125a39f3e9ec5ba8e214d
SHA5129d7abc34d923426b06d82079c15fc5b633f79e83c2dddb7bb6dbaa6718c9753101182660bbbc8e5c6d0de4e24a122c8e5c92b0a244d411cabb3ca50a80550228
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exeFilesize
512KB
MD5ac4624418680a183414c181869fa9ef8
SHA1c489673675aea265e0311c22d4b014ae1a080ca3
SHA256a19bbafad853e9150022cd9b888dbe1606f91bfdfcba90ef1b3c5e93e53827ba
SHA51299e7c7115cfa99bb134f6751c58a50dcab3ee09bfd0f5c11ccea9adb6df68151e7dea27adbd686c3c5dcec44b590853b737a94cffefb82642a3b716310e134c1
-
C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exeFilesize
600KB
MD5cad41f50c144c92747eee506f5c69a05
SHA1f08fd5ec92fd22ba613776199182b3b1edb4f7b2
SHA2561ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6
SHA51264b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045
-
C:\Users\Admin\AppData\Local\Temp\1000276001\File300un.exeFilesize
57KB
MD5055231d52a308768e6f648954fd9a3af
SHA1eb07ae002f10dd7a0940499b1b65ad4726bd9576
SHA2561da862e5ed37d1aca728940d0f58601c2932a86289bcd8aee627d4b8f3abb3c3
SHA5129b4807e91b195c776dff98087298cd465083d57aac425d149e733b1b9e37cfd0bca73182dbf93f4ce75c74730656778a3b2e6f52f8dd054efa9c5040f38b80c4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kq0pjvr.n21.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
64KB
MD5490856e5c219438306c4ed161efea09b
SHA17644cfc56c76497d3bb8df561244c66f9d286485
SHA256130759c2365bad399ae12835d01bd9be3519854110aa317735a80e80c6f5bc03
SHA512cd9f160f00a6a57eb5a655b2e19bc6987ac68d6dfa39ebbb3c9f0a63ad3ae42fb2229216f2902aca77f3468608c70f31c8d6c81a99a9fd4d6d9f7ddf977f749a
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
1.4MB
MD55904aaeffd4e1c818f4602fe793873a0
SHA11517968f1c0012b6b6a6962a38f234bf63b3832a
SHA256400c81a62d355dbf62a72cde07bd4eb5739b8281f88d5a52ad4ac7a4598a6304
SHA512a4896503c7169653efb12dc48d023b26a6254098f997bcd355aaf2eadf7ef2385e5112d6f110ddf56c27f2d652e6995a0bf0ec49ef99bc4cf200d7f0799a04ec
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
640KB
MD546cfbbcded3683106439b4603a11a052
SHA116b809f16b3cc9d5fffad3572cb5fc3008306b2c
SHA25677306bfd2438d093b340109900213352ccdb41bb3aff76160a55dd0667907a99
SHA5127e0e5b5cebb3d288d2c11b0c61e17a2529c5f4ca1733695e54215ce9ca0c0f908629a7255bcb31dc95c538e59e614c959bb8c2531ff8c974c495736734237394
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
4.1MB
MD5294c5614c7183a453d7eef1b36ab1266
SHA1ddef7ff18a09042fdadc0a1c78f88fc2050c703c
SHA256d4194f95a8ede895fd6344ec12b5038058d9a5130016207f490f16572c3d9a01
SHA5122f6c8bc173a3cc49ac0acb4cde6dc22ce4ebe078763d9543b0511b185efb1878bb0ae01519c805fec83c7face791bfc73c505d8f9245695b64f179f035c8739e
-
C:\Users\Admin\AppData\Local\Temp\nine.exeFilesize
257KB
MD59377b2d9cf30cdb95938581d2f443d0c
SHA15b2d23dea7d5f7deded14b1f33e08260b9c25878
SHA2561b045d664cd5ce2bf315bffef85f0b4be363bd6d146533e3c3624257122330e9
SHA5124278f05d7da33465332fe62b8a9f1e01717f99a3b7e8f7769ec62947b9aca924228575087a035bcc064f816e4b58ff28bc7ba0cc84545ebbe8cc0d69b7ca7f0e
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exeFilesize
170KB
MD555f8359ef2f889e04fe418c80bc952ed
SHA1b2ac224b69c20b721ef9810b79003b513823e55f
SHA256732cb080fb5e27e98728c42f77b5dd865faa1f5e840d8113c9f30fa2c3f550c8
SHA51242bfba12e19f399beb54d65dfdb8767584c75264a1f321aee68cb85880d7ac606b3022bb0ab7df72075d3f2271e7d4918c9c7bae7acf6675856bcd21f6fe46b8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeFilesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
314KB
MD5d677346113c07beed43147868c7a70f6
SHA14eef1c06ee02613350d14760a47b4eb5b092c694
SHA256568a2cea57330b432c664f34572db2ead8e6b6314e4ef3e0cd060e989266c547
SHA512ea0bf7e377574b952e84470303197cba8bd49b5231add9c57ffd9706d232145ff1a4fe4d484e87d9919270040e482e60ea38cfdf40db14c098ffba287176cdbb
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exeFilesize
570KB
MD5ea037914e6f1aa6a8ad565407158d49b
SHA15fbbd923c0bbcf33fafca5a0ed847c19478856e5
SHA2569deee2315490381305b70eeaff5805df00d10feb9d9f78fbce33b3cd5795ed73
SHA512369943b3ac01a8c89c7d163391e60c2a4f9f616ade5161df8a67e75c490ff4a70b37d4b617675518c924d2fbc07605a37d4f76166da9becefcb4bd5052a69e55
-
C:\Users\Admin\AppData\Roaming\configurationValue\bott.exeFilesize
313KB
MD5753db7d6804f9f27aaf30fe62c00a011
SHA14c29fef91e4a099c08b90c0aa9f0397fba36d452
SHA2568f09598518b4d2a084e1fe1068c43027fe9e6caed74de0926bdac110a305ac2c
SHA5127ff04ef374e8a97b58f110dbf3451493c2e2644fce3935a6d4107074819d9547ea861c06a2ed24b5d459f41784bcc0be107c920e78310332ca50f3143b7ac830
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d3f01c04623990da8880912d55e75837
SHA12a88be0dda948b0fcd1d1f19468175ac1126aa77
SHA2560210281f55f5065243c460575d14a80e530eb2bf970462b12b813dac1b1fe078
SHA512b05144977e404e5b9511bb54596a752b38302c338ced57032db1bea19d9f556a120ce6491b5a8f4dba93be7f7fb7ca23201682401474aa52741a30b2c0a3f447
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50bc88c8312702adeabbb164c5c9f00ae
SHA1425f8e02d2c554c3ca60f4be11eff3cae4914a18
SHA25622533444cf861a22ff07e3993c1125ae4944927bbb546a0e840847b37d17d046
SHA512e05e99fc291e7844aac14e95bda50d35c245386470e6e5a6c75b2bf46e0a2fd16ef16bd29b6c211d595329c6651c51610c1517b1acfc50e261a3eda44a422f35
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5170c447a8e24323666e6d5ecb479dada
SHA1e9350f8381053ef56fa09ffac652e6d8268d46ea
SHA256ff607c8afebaccadb42f1d9e26e1326e26e5462afb9cd1e98aa99f1a1ee31c2f
SHA51265095ad05fade9df420ab6a661270e99f12e63c6209a2f59cb8bb423622a81baf43ed24c9f64a9f8031deb7cf89a27e698dd6d64b512914641725b5bb978e093
-
C:\Windows\rss\csrss.exeFilesize
1.7MB
MD50d8fde666d814a96fe5edd42d5ff7f6b
SHA1d90772fa16008f3ac73f6dfed24a8166a1a5ef11
SHA25656e1c010683afbba641f3443ed8b59166f45200b05d43e23f526a8ae9e20ebe1
SHA512e9e820e7d5eb913207dcdb241804846a56bd67d11303e3b01ef47143e9e216cafda2d24acc2b6b025fe9ab0fd88c9c2a0668b61368ad0e69311722403f9cc6aa
-
memory/716-217-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/716-92-0x0000000000270000-0x0000000000408000-memory.dmpFilesize
1.6MB
-
memory/716-93-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/716-98-0x0000000004D10000-0x0000000004D20000-memory.dmpFilesize
64KB
-
memory/716-218-0x0000000002670000-0x0000000004670000-memory.dmpFilesize
32.0MB
-
memory/932-554-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/932-546-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/980-0-0x0000000000D40000-0x0000000001203000-memory.dmpFilesize
4.8MB
-
memory/980-4-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/980-6-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/980-7-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/980-3-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/980-5-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/980-8-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/980-10-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/980-16-0x0000000000D40000-0x0000000001203000-memory.dmpFilesize
4.8MB
-
memory/980-9-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/980-11-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/980-2-0x0000000000D40000-0x0000000001203000-memory.dmpFilesize
4.8MB
-
memory/980-1-0x0000000077654000-0x0000000077656000-memory.dmpFilesize
8KB
-
memory/1096-298-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/1392-164-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1392-173-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1392-171-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/1392-167-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1400-101-0x0000000005310000-0x0000000005322000-memory.dmpFilesize
72KB
-
memory/1400-95-0x0000000005090000-0x000000000509A000-memory.dmpFilesize
40KB
-
memory/1400-99-0x0000000006270000-0x0000000006888000-memory.dmpFilesize
6.1MB
-
memory/1400-100-0x00000000054A0000-0x00000000055AA000-memory.dmpFilesize
1.0MB
-
memory/1400-221-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/1400-119-0x00000000053C0000-0x000000000540C000-memory.dmpFilesize
304KB
-
memory/1400-111-0x0000000005370000-0x00000000053AC000-memory.dmpFilesize
240KB
-
memory/1400-72-0x00000000050F0000-0x0000000005182000-memory.dmpFilesize
584KB
-
memory/1400-69-0x0000000000630000-0x0000000000684000-memory.dmpFilesize
336KB
-
memory/1400-70-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/1400-236-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/1400-233-0x0000000005D50000-0x0000000005DB6000-memory.dmpFilesize
408KB
-
memory/1400-96-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/1400-71-0x00000000056A0000-0x0000000005C44000-memory.dmpFilesize
5.6MB
-
memory/2308-485-0x00007FFB12F50000-0x00007FFB13145000-memory.dmpFilesize
2.0MB
-
memory/2308-487-0x00007FFB109E0000-0x00007FFB10CA9000-memory.dmpFilesize
2.8MB
-
memory/2308-481-0x0000020340200000-0x0000020340600000-memory.dmpFilesize
4.0MB
-
memory/2308-470-0x000002033E780000-0x000002033E789000-memory.dmpFilesize
36KB
-
memory/2308-486-0x00007FFB12A00000-0x00007FFB12ABE000-memory.dmpFilesize
760KB
-
memory/2824-605-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/2824-610-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/2824-584-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/2824-543-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/2868-225-0x00000000020E0000-0x00000000020F0000-memory.dmpFilesize
64KB
-
memory/2868-235-0x0000000002620000-0x000000000267A000-memory.dmpFilesize
360KB
-
memory/2868-223-0x0000000002120000-0x000000000217C000-memory.dmpFilesize
368KB
-
memory/2868-224-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/2868-256-0x00000000020E0000-0x00000000020F0000-memory.dmpFilesize
64KB
-
memory/2892-499-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-479-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-547-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-529-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-484-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-526-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-461-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-522-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-521-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-474-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-519-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-456-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-504-0x0000000001040000-0x0000000001060000-memory.dmpFilesize
128KB
-
memory/2892-488-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2892-553-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2896-58-0x0000000077652000-0x0000000077653000-memory.dmpFilesize
4KB
-
memory/2896-583-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-172-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-372-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-195-0x000000007F240000-0x000000007F611000-memory.dmpFilesize
3.8MB
-
memory/2896-48-0x000000007F240000-0x000000007F611000-memory.dmpFilesize
3.8MB
-
memory/2896-606-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-532-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-47-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-192-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/2896-588-0x00000000001F0000-0x0000000000D08000-memory.dmpFilesize
11.1MB
-
memory/3044-542-0x0000000000400000-0x0000000002BED000-memory.dmpFilesize
39.9MB
-
memory/3804-193-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3804-220-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/3804-219-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/4100-460-0x00007FFB109E0000-0x00007FFB10CA9000-memory.dmpFilesize
2.8MB
-
memory/4100-433-0x0000000003200000-0x0000000003600000-memory.dmpFilesize
4.0MB
-
memory/4100-428-0x0000000003200000-0x0000000003600000-memory.dmpFilesize
4.0MB
-
memory/4100-455-0x00007FFB12A00000-0x00007FFB12ABE000-memory.dmpFilesize
760KB
-
memory/4100-450-0x00007FFB12F50000-0x00007FFB13145000-memory.dmpFilesize
2.0MB
-
memory/4608-94-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-25-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4608-541-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-97-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-19-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-20-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-582-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-429-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-22-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/4608-586-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-23-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4608-21-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/4608-24-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/4608-26-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/4608-608-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4608-27-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4608-277-0x00000000009F0000-0x0000000000EB3000-memory.dmpFilesize
4.8MB
-
memory/4640-375-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4904-170-0x0000000002630000-0x0000000004630000-memory.dmpFilesize
32.0MB
-
memory/4904-140-0x0000000004BB0000-0x0000000004C48000-memory.dmpFilesize
608KB
-
memory/4904-169-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB
-
memory/4904-154-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4904-159-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4904-161-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4904-158-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4904-155-0x0000000005200000-0x0000000005298000-memory.dmpFilesize
608KB
-
memory/4904-153-0x0000000073050000-0x0000000073800000-memory.dmpFilesize
7.7MB