Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 20:43
General
-
Target
8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
-
Size
3.1MB
-
MD5
bd341c68a7df0cd1c4246bfa40ce9f32
-
SHA1
838dd07ba57d4d49ff8e6b0eb4d17f2b42dbd3b7
-
SHA256
8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b
-
SHA512
74c8e6b0333bf324292331e3e87596daa708c938f517b95cf9c7333a21b4e3faa8c58f94725516036a3016675a55d3ed6e6e7ab16882a080c45403cc67d19137
-
SSDEEP
98304:ErCZZuTgZIyPHmkjSoUZwVakl8UryMgGSIMLa60j:gCOOJl8UuMgbL
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
xehook
https://unotree.ru/
https://aiwhcpoaw.ru/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Xehook Payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Xehook stealer
Xehook is an infostealer written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe"C:\Users\Admin\AppData\Local\Temp\8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000055001\36f296e9dd.exe"C:\Users\Admin\AppData\Local\Temp\1000055001\36f296e9dd.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff93c45ab58,0x7ff93c45ab68,0x7ff93c45ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4532 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4100 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:85⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000056001\153edcbbda.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\153edcbbda.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\RB48SMHJES.exe'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\43563d7b-c76b-404e-8cb2-d3ae1ae4a7af.tmpFilesize
254KB
MD52e218f972fcc18114b3ee561ccea38a9
SHA1ddc9c200758a4b663b0a8116d012fcf4068cfff1
SHA256e904ed7dad18f64c86c0e41ee0bba2c476e58fa0a98b2778048a6eb92f092d91
SHA512de389002a25524594dff68c9b8ac754c98927a415ba64d223d8b680f2f4c1e8875b3adc273b8bd94c178e57c8a7bf01b5101d3725a9164eea73d93011f9a9931
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5a8a39923f88ec1130f725c1d3518c27d
SHA18b4dbb8b30cfa19e6b947afc06a348e63d69f916
SHA2569ed47ee69bdbd5f88cc5887e6970f03bd48ebbd8c47068b81c50268f173243af
SHA5124980437e3424654fe040557e5d41b95f4cc23613e71c77f8050142d004dfbaa7545b97135e1433aaa52ac13550f430a05e9a88a06d973352e12f31df261d823d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD527c1401edb8470329100bc7b820a1e30
SHA116ec358bc4f0aeedca93fc1ae69c209aa45d1952
SHA25653cbeb72e34468fccb4a6dd44cdaee5b3417ac9028ab4dad5501906fdf3a3c1d
SHA512fa3d43452d71f7fc1d1d6c9a75198acf85552be2b29c80a31e667c34a2d1417057015b625a32a916a64d9407ca1c86f0a544b87a65b6d7c454eb1deee9385f94
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5056a8e3d534ebbc3a5908cc2d76e09a6
SHA18adf0a084b33b7daabb844930bfc7e49a9a7cb74
SHA25680ed9924849ab34f2d85bce1743c35985b28cd76a7a8fc9ba94824eebca820da
SHA512450e8b964da509f6f4fd9b42f54599136e34b92fac716931160ce899ea713228369b2bae8466cb8f9c77a544239ce103e9e0f208fddbff05e18eb656a1797609
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5f56b05f8121a10829536f45c6a1a6ba3
SHA1bafad07c518d9a1748b0462fac9fe8aa16082058
SHA25695ece8c0e6b681ba88d4ff0ce50a593013351aa094451870e11e30c9842733f1
SHA5129a7b1301e7a21490e6e032c9355abf95524c78ae4060ba0304d4e95dc2c43e3feb779cb0949b9711e2e6a36ba885d94433b24cbc851bbb13a311fcbeb19dcb40
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD55cffadbb5b7615911fbafdf28ae9ec1e
SHA16823c93caf5b5e40aafe9e3590d436c43699ec9d
SHA256a6d414d8ea8f257bcd47e784af9c6e81200375352b96eaa761da930f1e4384c7
SHA512786a0321af9b856f5f39fbec74d97883f9fa398cec2908b35e3182d5f0de586cf657c3fc5de4d0bc3e693cc0ae8b113f2b15bd1d92185127176d882d22fe060b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5f2c8078cd29aed898825a2490b7581f2
SHA13a8ad8217593099e17fd0e46244e70f5c38f036f
SHA25661075a372b53d5ac4b57327ce6df2c36c54afb21eb3c182aff046cba53d305d4
SHA512ab11b22129697ea8a4ef86bba4f947d79597692d4eeca449b016631b71192e0596ca0a341d0ab88c9924813f8124bc01f5bdccc44b114e161682d3a0ea039f31
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5f47baf4eb42e89b6d6aa366b797c051d
SHA12035ba9ac976fc30e82062227ca89583002da778
SHA256b4c47c071268e4b5fd46453a148df8e3571e5ae746c8d7fca02b0a0067424923
SHA512309764f708f926e41292ff0518c73c41e47882204bdac02e794b8ad94dc13585a809b618cc22279765f4e174551f5ab5503e60190b5c11c14ce5b88e73bb3ef5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionFilesize
14B
MD5009b9a2ee7afbf6dd0b9617fc8f8ecba
SHA1c97ed0652e731fc412e3b7bdfca2994b7cc206a7
SHA256de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915
SHA5126161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
128KB
MD550846eb1742639bda5580deb457d1b1c
SHA1d59ffcf5b0b0c92dd0bb88297e01991eb5ef3955
SHA25691f54796088ee02aa8f689eddcf81b56aada255985980d229fcd193ca59b7c1f
SHA51264c31a1b26ecfd6297af39019e8f285b23581bbfa9b7bf51fa22d83a2f63ee973811bb3ce216bf30f0e84bf8d57790fcc35b009a4ebe5738bce5507638b3e461
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
254KB
MD5ea97c6eed894ee4db12e30b065353bb8
SHA10ce7f64a9d9f85742b28e2ec3509da9d567dcda5
SHA256726438d2534057025953b666087d428e8b8194bd409d4a5564c7f039f01edace
SHA51261444d6e4cf7b01908082b63d844d8d653f5310ae409ec1c0b9b1174de5b2abbed31dbbf8b61dec7fef7238890327199f6b230b475e96aa5d74963da656f4cdc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
274KB
MD51acefac32cf992c5735d05db973d7f19
SHA1278fc0872a39c4ac275ab874415f7e740c0ee266
SHA256361bbdba9cc58cbdb432c8772e3e28252ba9624306d80a103e10ea8241f7c92b
SHA512aa253a1abaf2945d8312a99ff7fea78c47e4528afdc06704fd7802cfdf7a8769623a369b868fd734df397fb2818db9fa6ab91250e5d14122cb610df3db18eb3c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
98KB
MD5a0065da23804db983b2842ea754ae8e9
SHA1c8c5ba8f9af44069d67f416d59e88f27e3e5adf6
SHA2563045ff81f3890e8a944f9511a63ebb6734f7f86e236fe58ddb2cdcc5ae7a521f
SHA512e81b6b546d26e4abff464422016d2fcf6ac193d1f0525b5fdaa6843795da1a4266e3b73a68549dcbc86d970eb64f73fe4d4f7c831887b637e15257a06e1a6bbe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584e0b.TMPFilesize
95KB
MD586c5e72377c8b0f7851c91b854ee6e5e
SHA1564d8bdad6c1fc010d4b06a06ac9eb7959719bd1
SHA25663b25bc369425a2ac2b84a0daf0e192275a1fe2470aeb1b9dfc20443b7bca0a0
SHA512cfc94d00f9debc4cae0e5d09a618aa3b3714931a188c900f58942901eebe67f7a771088232ef925f6d7f71e42bba8e48a4635462d381d249f8f1cef2b1fefb75
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c86ee90124c6374bc4c440a308eceb38
SHA1b2075096ffa0abb9ba5abb0348e921e03fdf97b1
SHA25699412b05f5ff937533a9c7dfc5ae65a4626c8f7f8b985c0b3a1e0ab5933863c8
SHA5123dfadcd144a269cdf379aeb7f911642823e0426cda40cd231d90360f2aef7f6e49e68e0eaf742327ea3422a373128fb9652f8a361caa6ba99b8623eef1c6b8de
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
3.1MB
MD5bd341c68a7df0cd1c4246bfa40ce9f32
SHA1838dd07ba57d4d49ff8e6b0eb4d17f2b42dbd3b7
SHA2568d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b
SHA51274c8e6b0333bf324292331e3e87596daa708c938f517b95cf9c7333a21b4e3faa8c58f94725516036a3016675a55d3ed6e6e7ab16882a080c45403cc67d19137
-
C:\Users\Admin\AppData\Local\Temp\1000055001\36f296e9dd.exeFilesize
1.1MB
MD53f00f7a2a96ceb0835e24b7850d7135d
SHA158432f5288e80b450cb129f4910daaa81a625211
SHA256c191111d7620eb4d5cbb2f575cd9a96c3d9ffe02bc7f2ea2f978ad55a078d40b
SHA512954849074ab355f479eed590dc99550ad385d08125fb4577ee3cda3f1a501b35c43d109dcbe9bd7e5723c8d88ca7f72e3dbf426642829bb35d4db245a3560796
-
C:\Users\Admin\AppData\Local\Temp\1000056001\153edcbbda.exeFilesize
2.2MB
MD5497c599020d378a4f2f7bd7b53feec7c
SHA1c427976796ce204c1baef147a60386eaa3248955
SHA2561b17e31053f03aea668651f673213a5c11e56c252d2f750f85f1aeeaae1a2e43
SHA512898495dfbf0cbf80230a4f718ece7a390b58fbac786a4416679de273ca9f719f52ac89b925706b2fedd981bbdf5d49282a6e7d1d1592fe3d5c6c2d5dd256b41e
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exeFilesize
1.8MB
MD54f924d31ec92af6ef6250e7723f098e0
SHA1f3c6119a04b8266d3b13363f5bb82c4190a5f626
SHA256fd991242964f1d851fc1277658d40a357c87e2032d813ec86ad3503fd40d7db3
SHA512ec27b19fff72acec46a49c6c3043c1d8ea34c8b00891656bafab46ff2ea6aad7c4a4c7aeb8f592e796106a977ef48939826512ccc6c227e7fc5eca79aa9faa63
-
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exeFilesize
273KB
MD5e795115169cc800de0392d6a675d58fd
SHA18dd75837e360ba1cb8acf5a3d348dd020a5da482
SHA25617f929c1d40a7fd6f897c0b15ca9c44b2059cbccb3037c31619d87954659478e
SHA5125fb6543e91de175bd365462a1cc87d6772e43b0effd3757b3e408b08a4de5a004de9a85e7f1d09578fa3bc6b6486c5f5016c1b879496582dbb39b2e62e168f38
-
C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zipFilesize
106KB
MD5fdca27abe192b233f790ec5bca473496
SHA1dce6139abb2a4214d682ea363dff2ce9ac8e9d7a
SHA25691e5d5259c992f5b5f5d9d18dc83f9bef29d6b6d8861288d23231fa735089dad
SHA5129934bb4091d624e35b9063c283b0f308b57a52eeeceb570fddae5400f66723bbc3c0daa2b7a46af5097b0d3ae109db21b2cb3327cdc96cfc19ff92df8651bdd0
-
C:\Users\Admin\AppData\Local\Temp\_Files_\JoinUse.docxFilesize
106KB
MD507b43a93c42e5d1b1de0622eca1b2c75
SHA16838b5c018957d210ac82a4d3a05d9b2b649c372
SHA256c7ed504976f3dedf3eda8b1a5f31d8fcdda5a1994b78e9329a94a91a7ca4a4f4
SHA51229e0df5239020962fedd7d1fd58886620205a528a6fe0b23062c6d1c2ff4778fe49ccabea54942388d409647a958d6555b621149ca0e0660f5688cbd4dd93ed8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sk4mrkbp.ac4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\RB48SMHJES.exeFilesize
65KB
MD5a9dfd960d1a10a1670849e852bb70b2a
SHA167c37e2debf1f0cf3e5d02d8f222cc3d77fdf593
SHA256cf9e1900e44565feab39a6c6ad88019496210f3237b323260c0d0abaf680ab62
SHA5128dbce59c7d9312cc25c9463c21b544f84c29b36e43897b78b2c4d56dda4cb016120c5523eadbc5cad53d5fa9a282ee92313ffcb3035476410e4f547e17c1ac34
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
\??\pipe\crashpad_4372_QEHYAXQDCCXOSZUPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-242-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-33-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/116-37-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-500-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-463-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-459-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-297-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-396-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-316-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-36-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-354-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-35-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-34-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/116-23-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-32-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/116-31-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/116-119-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-29-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/116-30-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/116-26-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/116-28-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/116-179-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-27-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/116-189-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-25-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/116-318-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/316-446-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1400-395-0x0000000000B70000-0x0000000001022000-memory.dmpFilesize
4.7MB
-
memory/1896-304-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/1896-291-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-309-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/1896-308-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1896-307-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/1896-306-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/1896-305-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/1896-303-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/1896-302-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-301-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-300-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-298-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-296-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-295-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-294-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-293-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-292-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-290-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-289-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-288-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-287-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-277-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-276-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-265-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-249-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-252-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/1896-253-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-254-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-255-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-256-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-258-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-259-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-257-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-260-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-261-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-262-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-263-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-264-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1896-275-0x0000000000400000-0x000000000098C000-memory.dmpFilesize
5.5MB
-
memory/1908-62-0x00000232EFB10000-0x00000232EFB20000-memory.dmpFilesize
64KB
-
memory/1908-70-0x00007FF93B900000-0x00007FF93C3C1000-memory.dmpFilesize
10.8MB
-
memory/1908-65-0x00000232EFB00000-0x00000232EFB0A000-memory.dmpFilesize
40KB
-
memory/1908-64-0x00000232EFD00000-0x00000232EFD12000-memory.dmpFilesize
72KB
-
memory/1908-50-0x00000232EFAC0000-0x00000232EFAE2000-memory.dmpFilesize
136KB
-
memory/1908-63-0x00000232EFB10000-0x00000232EFB20000-memory.dmpFilesize
64KB
-
memory/1908-61-0x00000232EFB10000-0x00000232EFB20000-memory.dmpFilesize
64KB
-
memory/1908-60-0x00007FF93B900000-0x00007FF93C3C1000-memory.dmpFilesize
10.8MB
-
memory/3144-3-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/3144-10-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/3144-2-0x0000000000510000-0x000000000082A000-memory.dmpFilesize
3.1MB
-
memory/3144-0-0x0000000000510000-0x000000000082A000-memory.dmpFilesize
3.1MB
-
memory/3144-1-0x0000000077A24000-0x0000000077A26000-memory.dmpFilesize
8KB
-
memory/3144-8-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/3144-9-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/3144-11-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/3144-5-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/3144-4-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/3144-24-0x0000000000510000-0x000000000082A000-memory.dmpFilesize
3.1MB
-
memory/3144-7-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/3144-6-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/3396-462-0x00000000001D0000-0x0000000000682000-memory.dmpFilesize
4.7MB
-
memory/3396-465-0x00000000001D0000-0x0000000000682000-memory.dmpFilesize
4.7MB
-
memory/3396-502-0x00000000001D0000-0x0000000000682000-memory.dmpFilesize
4.7MB
-
memory/5260-216-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/5260-215-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/5260-214-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/5260-213-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/5260-218-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/5260-212-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/5260-199-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/5260-211-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/5260-231-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/5260-217-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/5752-418-0x0000000000C40000-0x0000000000F5A000-memory.dmpFilesize
3.1MB
-
memory/5800-225-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/5800-355-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-330-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-317-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-209-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-402-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-219-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/5800-221-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/5800-220-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/5800-299-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-222-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/5800-223-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/5800-224-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/5800-461-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-248-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-226-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/5800-464-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-227-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/5800-228-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/5800-229-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/5800-230-0x0000000004EF0000-0x0000000004EF2000-memory.dmpFilesize
8KB
-
memory/5800-501-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB
-
memory/5800-243-0x0000000000ED0000-0x0000000001467000-memory.dmpFilesize
5.6MB