Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 01:45
General
-
Target
4cc1a1cf97185157996a4e1d6050d1bba64ec132564e6da340d2fcd0180991a2.exe
-
Size
3.1MB
-
MD5
c8cc398061d6ee8b25e8d1ed5471e8d0
-
SHA1
4e640d5aaca96b60abe8b75cb96d29484034f055
-
SHA256
4cc1a1cf97185157996a4e1d6050d1bba64ec132564e6da340d2fcd0180991a2
-
SHA512
dfd4ab0df4991865c8f86201afb6691cf8c87e7d76eed0aebee9662c07fd3e708adf486d198f1a42b54f4e680be6ee51ae698d42969954ea8bd14413de960390
-
SSDEEP
49152:gBQK8tP/h2EqKmQtljMGGUu7pBd9NpGYQX17/YWO:bj32EqKmQHlGbVBR4RX17/Yj
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
risepro
147.45.47.93:58709
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
LiveTraffic
4.184.225.183:30592
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 1 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cc1a1cf97185157996a4e1d6050d1bba64ec132564e6da340d2fcd0180991a2.exe"C:\Users\Admin\AppData\Local\Temp\4cc1a1cf97185157996a4e1d6050d1bba64ec132564e6da340d2fcd0180991a2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000055001\06a1dbcfb6.exe"C:\Users\Admin\AppData\Local\Temp\1000055001\06a1dbcfb6.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850e8ab58,0x7ff850e8ab68,0x7ff850e8ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4520 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3320 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1848,i,11681192390091477010,511830270734406279,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Temp\1000056001\cf7c63dae3.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\cf7c63dae3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 8883⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5304 -ip 53041⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7d3c4e91-a106-4bc7-825f-0820081542e6.tmpFilesize
252KB
MD534d1ec4326d3e5c6372e088368f9d58c
SHA17e25f7e3d2caf870867078e7806242a89595c7b6
SHA2562ac14da3bb7cd831c802ef083e3745c43b7f0e617788b6298659a00411449912
SHA512674f25f33d82c56f8658fdef1cb0e79129c782c519997f5830fe24b46a82eb3bfa9b2ad4a1ba8ffe1d85ade7221bc3a3d13dfe168a852ff80916fcfb6f3b0c87
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5f292162939c4375fb7a38843a3f1872d
SHA16d549beede102f4da3b9c4f5f1981904455c2596
SHA25681e576ecd0dfa201ef8135d483a12c09ccec150b92704ff32e323b46d44c3979
SHA5128acda43d06e6793cb409ef7e7d9e3101584456b60b1962bb03a976640bce90af5d8b486bb0a8c071632bdd7ed9a131f64886414b0434e5ec989f5eac159105f2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD5e2beb088c32e3913d81d91008e794e5a
SHA1f7ec65fd4aa0cac564dc666bae02a56567beda8f
SHA2564d1af1e31a94bc6016f03e12fcb77548cf9fcdb86b1a466106c33ea4055a07b6
SHA51251f18be262a47f120a32b99e004bd9151c95eb73e2ac33d6357cf753ca1f925861cf6f641c26732d75db150fceb32eefa8b5824910b2dc6ad6b994660ae2cffc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5802adff97f8671c885a144e4fc5b814a
SHA17b4a8e1139c0c4c12eadcceb07a3bc7eb4ff34d9
SHA256b3bdb54e68b4fc5a71fb4597bf94b00091799aacded9270edfdf9a13c5f2c804
SHA512b4af89b1743c316a7312ebd60b5c05bf63defb7a5417e47e65a838393b01fc0df70ad593708c41c8ea9962f9a010ab0ca14d770b503b15b01aa48faea4675e0d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD55ec8327021ac6fb94c2b80c07fdebfec
SHA199c4c66f41f0e2428e4cfc213ac13bb63de50d00
SHA256d355b35b1e0d2cc8391f9f5a94bac83b78e87a3aa562b3f0e63d724cfd6c5f27
SHA512cd880a85a4ee0a9d91f2c1b890f903638733403f6e72dff34d1f351b7ae681f6d7c8f0721c05372d8c6a1bb83b49d806ac1cbc41c7400eb2d00d75ce6ab184ac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD57d388115e4c40ac4c23a415a60016ffa
SHA17bb64dd9df7dc7a4191280a4f50f0d3949d0dc6e
SHA25693ac314db3fc2ac48dac5423b8d4e2cc754fd5f0d83770d02902722ded43126d
SHA5128c73fb98389f2fea19eeeee2b78b3ff9a9861a64f99865f7bd1ea0264b04740f8588cca22c9f217d92e19f6c4ef2226cf6dbaa734a5d37dc2fadb4f5910efa24
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5fa18bebac980ee9caef93c4ffd059c92
SHA1e481ea1e244d2ae94708c36cc2c2370785689c40
SHA25607bd47deabe066f936ca21c5bc96fc9b84c22ae8177fdca476d72ec72e1ad458
SHA512c945e103b32e5dac77f28593784156d8805181b79f8dfa69c712c1250b60c07b1b7248768a6478ac02b928bbfbec21cda64b691e618917d6b357c6ad3cf24655
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5aa7c779dc18bb6708c282bde1da3c9a2
SHA12314298537fd3fed49e8551f0ff757509e8ceb1b
SHA25686e60fa6aa25ca7d9cbbb8aeebc2b929fdcbd29feab2bbcb94ba7cda3c380c50
SHA5125473aa45091776129efaad247fa572b1135ed9b328f53773fa9112f3b981b405c0888a75fd5be7647a54f2dd170bc81c518cc275ebd77910fc8afc8b26b6f54d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD59cca4566def48b0e30c8444aa8461fe4
SHA13ecbcb184cb1fcb4273c68c11a825214697a5790
SHA25614f685a90c1ecac26dd630b8132a589e186d8a22d0a9a2891df6d815bb6991ed
SHA5129c3d66ca3826407f32ef7c23edab5d5315be04a15aca304f0c436e6523f4c2bb0d10a9a380ac28688963ca05858993690b9bbc49a5b5d957ee0d31d48a2e9fe5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508e36e53c6bb25d4ff406d70a6b96ec4
SHA1982c5e3abdab90833b77d47c56d5bb6734a0a55c
SHA256d70c6d680230df6f3f39aa373adfb1d0c212b594ce583d360978c697e1199aef
SHA51263516135c17e4466f3f344a4639f76404d09ec510569c4b5897423414161da52b9e1430a78e23c8258091e72f1da652495987fa61ecc229feabbd4bab6e17367
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
3.1MB
MD5c8cc398061d6ee8b25e8d1ed5471e8d0
SHA14e640d5aaca96b60abe8b75cb96d29484034f055
SHA2564cc1a1cf97185157996a4e1d6050d1bba64ec132564e6da340d2fcd0180991a2
SHA512dfd4ab0df4991865c8f86201afb6691cf8c87e7d76eed0aebee9662c07fd3e708adf486d198f1a42b54f4e680be6ee51ae698d42969954ea8bd14413de960390
-
C:\Users\Admin\AppData\Local\Temp\1000055001\06a1dbcfb6.exeFilesize
1.1MB
MD5f8b39b2e10eb4670f389603591f5859a
SHA1ac52d79544ac8d6c9158528db682f3e570d527be
SHA25668bc601be4838fe515fa452e96fa91469af6aae69b25ea884cc3674e2730cb83
SHA5126a6c8b6eb6de76484debe3e8c82280812e0b9f7851ef9b7fd71d8aa3b38d4d11c5e8dfef87d822845ff736e6ba4edad222ac9709d8a51451aa43866eba876239
-
C:\Users\Admin\AppData\Local\Temp\1000056001\cf7c63dae3.exeFilesize
2.3MB
MD538c21a65b353891fcf48a6ba7aac8d02
SHA1ef0192eb1f1933bbe9fff2de5b9017a0c7d70149
SHA256c578e5acc36663dbb86608cadac57e70de21a6cc217a9e461eee5cb9038c21e2
SHA5122b96b0ec95387851eae66759991fae9fba4bcf84fffc5a81e9808122e65e45a09ac21ac5cca3d43a9ca01b5cea014809f0244f68272e71909ec70cad7b55683f
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exeFilesize
1.8MB
MD53cde9e4f13fc330d9b4e5db0ba2fb64c
SHA1d634ad4a12749509545a198039a32310e794b08a
SHA2566bbc0f14c2cb10dbfac7bff110a76cb7944486e41213c3e075dc9ce07d70e27a
SHA512bec255e2eb403ed4f081aa22fa80d8127b3db988f172cc5468066d7665395b702548750104749cc489d17ead11f7feee4474a03dc20d374d032f48a4ee1f5327
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
488KB
MD582053649cadec1a338509e46ba776fbd
SHA16d8e479a6dc76d54109bb2e602b8087d55537510
SHA25630468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e
SHA512e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exeFilesize
445KB
MD5a4ff45669edba40e7cf0e41e0c154c4f
SHA14b87fca932cea0d1c2d62234e10edef8e658b2ae
SHA2562a08e27c78c12acefbd49668d9384b5e54a5f907bedac5c3f5d2094e8bf3f9d1
SHA512ca509c14c201102564804e5e67f51c631ef2c0647bd555bdbd0fd290b1ac6d0a74f42d326abe8051d230c80181f0dc90b2d70d75a7c94aab52532a2b506eb52d
-
C:\Users\Admin\AppData\Local\Temp\Tmp3167.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmjkrz1a.lp3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp5BD5.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp5C45.tmpFilesize
100KB
MD56d242e9151b8b7460c58d840c0c90ac6
SHA11f75ebb9f99c53bcb9c5060d92e8a82930299216
SHA2561fbfa53be1ed175adae59b6d0342c634fc132205ae2d7c449836db65dabebbcd
SHA512071c41f9d928936a635389b0557ef4e94dc639b53586268f78388ec4b8f3cf72f4a569989819d44639ab54129938e4ffd906c42a55235860f583907cda714e10
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355664440-2199602304-1223909400-1000\76b53b3ec448f7ccdda2063b15d2bfc3_3c734e9a-b312-446c-8ead-b81d533e01b5Filesize
2KB
MD5e7e0cb62a182052a04800a2369e105aa
SHA16c7e4b5a8146e3b23ca27fb228f731adb39dea68
SHA256f422ebfc1fc8771e9efade5cd7b7450b28cad793401b0b4c72a1dee068818674
SHA51211edea676f71ecccfa708f64768af413e3a204fc3b954ae793f87a61d2878ad73bc11f6d6a0cddf678b5b608f96f00a648c6ab2ecfbbcafc311e9a2f54de92a7
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5b6b5cafcd706c664afdcff9675b3ef3f
SHA1e7bdfb01be7edd492eafe4c868127670c0bb6d7a
SHA2567088b9ec29db6f9b7b941a9a29351ab454a8bb66a2b5948c7c8a235ae055c25e
SHA5120c4c5f0f988753aaef613d615d38ce64418f3f5af16d6676c90a69e3ee056a87a8ca6e740da461ec4bf13cf52727a42adc8e223ea73ef46628a629305fbffc51
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5ad80a4951a5d7e58d69a2894fa5c6c07
SHA1b5e7923cbde7dd0db6cc59baaac0b59c57a432ba
SHA25622ca32a5149308ba55bf1d441656e502c7830b40505256044e88cdb2c9721d72
SHA5122226171f44ca8ddbf3ac12d1f68453092d929b2974df6003be2d8672ab8200ac41773f094495a2549f10915907417d19ae969464350ce18bf6db893d9a01d0e5
-
\??\pipe\crashpad_3800_JNNXFBNAELDDRGZKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1088-409-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3296-9-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3296-5-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/3296-6-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/3296-7-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/3296-4-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/3296-3-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3296-8-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/3296-10-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/3296-0-0x0000000000760000-0x0000000000A7C000-memory.dmpFilesize
3.1MB
-
memory/3296-11-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/3296-2-0x0000000000760000-0x0000000000A7C000-memory.dmpFilesize
3.1MB
-
memory/3296-22-0x0000000000760000-0x0000000000A7C000-memory.dmpFilesize
3.1MB
-
memory/3296-1-0x0000000077724000-0x0000000077726000-memory.dmpFilesize
8KB
-
memory/3336-28-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/3336-33-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3336-317-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-24-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-249-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-27-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/3336-369-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-133-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-201-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-103-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-245-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-37-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-621-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-36-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-35-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-281-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-34-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/3336-25-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-491-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-26-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3336-252-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-29-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/3336-30-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3336-234-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3336-31-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3336-32-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3556-334-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/3848-492-0x0000000000420000-0x00000000008D3000-memory.dmpFilesize
4.7MB
-
memory/3848-370-0x0000000000420000-0x00000000008D3000-memory.dmpFilesize
4.7MB
-
memory/3848-622-0x0000000000420000-0x00000000008D3000-memory.dmpFilesize
4.7MB
-
memory/4432-364-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4432-361-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5140-171-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/5140-251-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-271-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-248-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-244-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-282-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-223-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-540-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-205-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-667-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-172-0x0000000005390000-0x0000000005392000-memory.dmpFilesize
8KB
-
memory/5140-170-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/5140-169-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/5140-168-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/5140-167-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/5140-166-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/5140-164-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/5140-371-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-165-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/5140-162-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/5140-163-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/5140-355-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5140-160-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/5140-161-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/5140-159-0x00000000009A0000-0x0000000000F4F000-memory.dmpFilesize
5.7MB
-
memory/5248-308-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/5248-299-0x00000000006D0000-0x0000000000B83000-memory.dmpFilesize
4.7MB
-
memory/5248-303-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/5248-304-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/5248-305-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/5248-306-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/5248-302-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/5248-300-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/5248-301-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/5248-313-0x00000000006D0000-0x0000000000B83000-memory.dmpFilesize
4.7MB
-
memory/5248-298-0x00000000006D0000-0x0000000000B83000-memory.dmpFilesize
4.7MB
-
memory/5336-195-0x000002B428390000-0x000002B4283B2000-memory.dmpFilesize
136KB
-
memory/5336-200-0x00007FF84CC80000-0x00007FF84D741000-memory.dmpFilesize
10.8MB
-
memory/5336-203-0x000002B410350000-0x000002B410360000-memory.dmpFilesize
64KB
-
memory/5336-202-0x000002B410350000-0x000002B410360000-memory.dmpFilesize
64KB
-
memory/5336-207-0x000002B428500000-0x000002B428512000-memory.dmpFilesize
72KB
-
memory/5336-208-0x000002B410340000-0x000002B41034A000-memory.dmpFilesize
40KB
-
memory/5336-214-0x00007FF84CC80000-0x00007FF84D741000-memory.dmpFilesize
10.8MB
-
memory/5732-216-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/5732-215-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/5732-217-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/5732-220-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/5732-221-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/5732-206-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/5732-218-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5732-219-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/5732-222-0x00000000004F0000-0x000000000080C000-memory.dmpFilesize
3.1MB
-
memory/5892-510-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB