Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 05:12
General
-
Target
b79b3ab665881eadd15b67b9b105db7d99eb091905350a53c6bbc7b91a42cd48.exe
-
Size
3.3MB
-
MD5
09bd16d82a747ef0621aa367c0e14a9c
-
SHA1
da57e4b192b7cb50b6e71b48d5f233d2a6b5a4f1
-
SHA256
b79b3ab665881eadd15b67b9b105db7d99eb091905350a53c6bbc7b91a42cd48
-
SHA512
7365b17d9ec7264941b88d61e69ea1214ef44b9b8bff9ebc8227794b696142050f267635cdb4e588ba121259b2f2a07519df8053f143db58ebc1a048d08b49a1
-
SSDEEP
49152:9UIbNigeVE2MD7ZDAgUftcgFEptOkf8Ug:jI3bg5W
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 21 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79b3ab665881eadd15b67b9b105db7d99eb091905350a53c6bbc7b91a42cd48.exe"C:\Users\Admin\AppData\Local\Temp\b79b3ab665881eadd15b67b9b105db7d99eb091905350a53c6bbc7b91a42cd48.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\1yazXENWWfS0IkCxcftnv7Pb.exe"C:\Users\Admin\Pictures\1yazXENWWfS0IkCxcftnv7Pb.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u1u4.0.exe"C:\Users\Admin\AppData\Local\Temp\u1u4.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 11165⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\ZXB_tls\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\ZXB_tls\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
-
C:\Users\Admin\Pictures\0CwGtqTfPCDrgrcWEM0cf8T6.exe"C:\Users\Admin\Pictures\0CwGtqTfPCDrgrcWEM0cf8T6.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\0CwGtqTfPCDrgrcWEM0cf8T6.exe"C:\Users\Admin\Pictures\0CwGtqTfPCDrgrcWEM0cf8T6.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\8wPJgeqyqDKDlXtGA5QH2zmS.exe"C:\Users\Admin\Pictures\8wPJgeqyqDKDlXtGA5QH2zmS.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\8wPJgeqyqDKDlXtGA5QH2zmS.exe"C:\Users\Admin\Pictures\8wPJgeqyqDKDlXtGA5QH2zmS.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\kB7PHNigXvID7RjUoTcbR5Vy.exe"C:\Users\Admin\Pictures\kB7PHNigXvID7RjUoTcbR5Vy.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exe"C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exeC:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a8,0x2ac,0x2b0,0x28c,0x2b4,0x6fd9e1d0,0x6fd9e1dc,0x6fd9e1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\SgDi2Nk23Hh1QSczJtfLGsVL.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\SgDi2Nk23Hh1QSczJtfLGsVL.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exe"C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2940 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240421051514" --session-guid=f73eda00-5d5c-415e-993f-7e86c2361d3a --server-tracking-blob="NmQyYjk1OWI4MDRiM2Y0NWZmN2U4YzU5YmEwYTA2MTYwZjI5NGM5MTQwY2U0YmI5NGI0ODNjODdlYzU2YTZmNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjc2MzkwLjg5NTMiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMWNhODRhN2UtZmRkOC00OGE5LWJlZTQtMTRjZTZiNzQwNzVlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=78050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exeC:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b4,0x2b8,0x2bc,0x284,0x2c0,0x6ec1e1d0,0x6ec1e1dc,0x6ec1e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\6DocS2gc3rmz1chQbt6WPPeI.exe"C:\Users\Admin\Pictures\6DocS2gc3rmz1chQbt6WPPeI.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS405B.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 05:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\kSNluMf.exe\" em /Clsite_idgZc 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5072 -ip 50721⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Virtualization/Sandbox Evasion
1Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Canon_Inc_IC\UniversalInstaller\ServiceLog\CANON_UIX_SERVICELOG_20240421051525.TXTFilesize
451B
MD5c6ecb5cd5364bd3bee33133e4b306b77
SHA1338501019d3e477d9afad7cdf0302692e3993f7c
SHA256ca7ae716f3688e8984594bf1fd02998c66a2ff176043185fb54bdbc3dc41ea95
SHA5121b9924eedae873e7f7f6bb66bd082efc0b153e18abfd3c0e8e49847dba8d91613ebd770cabc4add7dfcf58b123bccb82277914344492da3215a18c1bf5e9c90e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5e45259e85a975d54e1e54ca035c11a1f
SHA15fdcc3c8f70695b4c64e24f8837585f7fc728f60
SHA2567a34361310e54285204c6ada0dfbdcf4246f7fd06c08c01fc4a60f0544fc7647
SHA5128eb887742eede357567c06d0daef56b95c7c3595badfcba36e02952aa4ddee74f0e743e991c26d4a9ca810bd7a18e38aeaa39c4487e9613f91a9ebc3f77990b3
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210515141\opera_packageFilesize
21.3MB
MD56e4dc21c7467eed661d9caf04d9cee24
SHA101e18832cc0f2034c2dd5e211c9fd73be55fb7fe
SHA2560b09bf6183cae1bb3fc9d69b4b6c796b1e354aacb8b6589db458922da65ab409
SHA51296a458c5377db1fedbe99fd29afab1edf5d1a5d6633493e3da756628565074be6f6aaf7314a77ffa7252e83ae999013beb86d365e7630bea6e79a2100c871f73
-
C:\Users\Admin\AppData\Local\Temp\7zS405B.tmp\Install.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404210515139962940.dllFilesize
4.6MB
MD50415cb7be0361a74a039d5f31e72fa65
SHA146ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
14.6MB
MD59eba9ca5f06b484cbbe41ed6fb4a8768
SHA1b52ea3b800254b0b1ae2f19e442fe98cc575eb18
SHA2565836b09135b1b8060226a6dd32b23a3985cbef5ca17b97102a851d8b8aa2c689
SHA512827f380f0d552b75be688c0de1bb6051c8d4cecf3784c6b396ce710b4c20b1b57c7eb16335cab93f451d7f69110df83f580dd562d1f26bbd2d7ca902e5c6ea74
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UIxMarketPlugin.dllFilesize
1.6MB
MD58f75e17a8bf3de6e22e77b5586f8a869
SHA1e0bf196cfc19a8772e003b9058bdc211b419b261
SHA2565f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985
SHA5125a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\relay.dllFilesize
1.5MB
MD57d2f87123e63950159fb2c724e55bdab
SHA1360f304a6311080e1fead8591cb4659a8d135f2d
SHA256b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a
SHA5126cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\somebody.rtfFilesize
24KB
MD5ff36ebcf134c8846aea77446867e5bc6
SHA153fdf2c0bec711e377edb4f97cd147728fb568f6
SHA256e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9
SHA512b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\spawn.xmlFilesize
1.2MB
MD50d4b3bef832fe7d161ec85f9a3ae2033
SHA198af2a1125bf6e1890ce6dab84834eecdef30d95
SHA256422c6e1fec6485e29bbc20e3f74db6bc1d01be6acfbcaa10b7d9041e5fee8670
SHA512730d1a012eaa109a87705c2b6a53280f99ca8361ad6186df7cd7bf452cbf748bc94e894c35e6cf0590014baf025a3061bce1107fb724922061afdcedf6e7b971
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15ds4hjt.icj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\b1069a56Filesize
5.8MB
MD5b96e10e36a9ef9a31b805f9749e57ae3
SHA1bc39aa27931f264be23c4d603d5dbaf09ca8f37e
SHA256ba11437b4ceb6ce1493ec4428eac92404425a4da52cfbe1292e4b2b325c90d02
SHA512cb1c82e0ab8d89a0fe05ec5953fc0dbe16f38439155b6a585fdb2577c86dcfa55bfea0c88145123d9d3ab70ac7af09f6a5ee428e8aab0c1d184bbfdd836afda5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\u1u4.0.exeFilesize
323KB
MD51d4341aa0ca4aefcb043d19eb205d8ac
SHA1c6e7a063a22e6bad72b2c81017747ab31cb59579
SHA25642af762221074082dc3aa6e4efdc2b6439cc026d6e94d6eeae97fcfafda272b4
SHA5121bcc133000feb1ab7944295a14601ff1a66432dcbe117e9e60c9f98cb8aee5b28f0ddcbbc25e2b6d91b677ca67de32a8930a1317de9b8be17524a9bea43c73a7
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD585836764452f0f58ddd5c6e8f492d6fc
SHA14d73a1b240c81f8650cb86249e785b1ab6126b70
SHA256fad56596b071d10f48307eee969fde31681a0460b9dea7a48a78e07e08b0c9a2
SHA5129417fc8ea6290db637d2b3e569e5ab3aa280bbc944872c046f2fc35dbe01015e2b97f9a42741041700341c1579570af727939842b2901c0c2ce5ed6c1cccf286
-
C:\Users\Admin\Pictures\0CwGtqTfPCDrgrcWEM0cf8T6.exeFilesize
4.2MB
MD512c1251ddacc8c6651573aaae2a36711
SHA1aa4a4fc95f24a847f33a0fcc22d318fe947929d0
SHA256a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22
SHA512e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69
-
C:\Users\Admin\Pictures\1yazXENWWfS0IkCxcftnv7Pb.exeFilesize
445KB
MD5962689a584907a91344cd3427b586a04
SHA1662bccdb6bd35082045778a68361dd3bf849dd57
SHA2566abeb832e0ebffa3c8f166620d0aba275c0d51c4f75465e79a85716aead44cb4
SHA512c9fa49f5c86498857c78ca833c847758b0e8b61db68454a5a5b3950332ac3f7238606f0ead0b1c288fcf82f7e450fb90b07f8770badac376bb8786caa755f6cb
-
C:\Users\Admin\Pictures\6DocS2gc3rmz1chQbt6WPPeI.exeFilesize
6.4MB
MD5aaa56797070369ad346fbd9bb6cc5e8b
SHA1a1d01943f0a354d3a000628262671254ca6a91b8
SHA2569d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be
-
C:\Users\Admin\Pictures\Mj5zOYuFiOLf3z1DhgNBVOyZ.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\SgDi2Nk23Hh1QSczJtfLGsVL.exeFilesize
5.1MB
MD527ed30f300f7a545c925283f2aa752a0
SHA1aab36c09b687e8d7902cbb735f2232bfc1ac879c
SHA256c4fd4f679fbe58d1aeccc5ca5433ca208c79b952e000d64d97990d8874063691
SHA51279c9dde779ad8069ceb8d12df7c997e6aa38b081e4cbb556d62b86790cca82dc52010fa2f19cbeff90c0626ea4ef479b4ec2399972f9207c43d6447ec74398e6
-
C:\Users\Admin\Pictures\kB7PHNigXvID7RjUoTcbR5Vy.exeFilesize
3.9MB
MD5ffee05ea98b1d51026a44fad0841a8a9
SHA150a703329c7b9812c17a02b554cf406040079fec
SHA2564cb040696b9ffb14794955b0e56eed04fde0cae3a5ee748dd513ad42c411c823
SHA512626ddc18a906b74a231daa5bcc092a90708e0e3d42e4db645d59d19de7ef38a2d91a843f11dbc7873d379bfa14e87c5fc6d09a657e0b44abd24b9991cb971f86
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5daba2606dcfedae5858ec704348b7b1b
SHA19552725956e3e1b26a9d09cf2d70796920a1b5ed
SHA256afb3896404408eb499b828caa3926efe5023971e87416a13c8f445985ef68d56
SHA512df0ec6e9ac10afd6c8854bfd5b75a1ff35b02df4eec29e3352926f401876c8552f3c201783993a82f40590fd8e04ce4034e095f4207df305f53a75839e5bae64
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52e39e6e0831138a610ec73efa0d55f2f
SHA13ced52682fd7606565d3f77dbbb7281ee7b7c58a
SHA256a7435aa82fe6442f7ab5af77e1cc773dbb51b7d3ce4be47b089639e0df5db4dd
SHA512f9732c40d178ee9650118a12a12aad1ab9af83e13f376a6253af8ec5947e2f10de1343798d2ae475f2268c48197f2ffd7588e3579b49ba4955433c1ac4407b24
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51a49a581ac1c56069ad8f7f15152bc34
SHA1627296e9cd3be575e789a634d3e520be0433aebd
SHA256e2af8a6e8822e0978520600ee72d01088c4bba0687104cbedd4fe255cc8d6ff8
SHA5120d0635d6133b3f9afc1bedc23cb53553c411c627ad7b4c3f7ec05268372a6f1fe1c7523f75df48681e6326282c53ad7644be22fd4e4c4b3145acc7cba65961a3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57946832ecde073ed341faf573d1bfefb
SHA163fb1ef4faaf42d0a184e2679d971dab807bfd22
SHA2567fab4b937eaf55d43fcfc6280f9b9c8ed5f86d16a7989e4bd4a7625caf04141a
SHA51233cf9899ac35c9b3e7ebfdc635d79576c56e8e99c00548ca954b429a6e425d07630428a99b31fb308e18290f7d7c20905f3d241a63fc9cf0db7fa82742346da0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5192a6aca7ec59c3024576dff22471652
SHA12b73f473f64b7e417ebce620d49e50ab4cb8ff29
SHA256ef4ac54ed62e4f8bc339cbc330bafe699d8b3a544f86353313f1c29ca8fa2690
SHA512a8b7c559b920a89558c1876ce3662fb0a0fef0fd22ff36e4aa8350837ee1dd812fc63707994e4736adaec9118089dd4595ea0232feb5eb173e0c1dda18ced416
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1148-157-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1148-352-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1148-156-0x0000000003B70000-0x0000000003F70000-memory.dmpFilesize
4.0MB
-
memory/1148-362-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-514-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-545-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-539-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-466-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-551-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-533-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-528-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1540-520-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1568-65-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1568-62-0x0000000003C60000-0x0000000004067000-memory.dmpFilesize
4.0MB
-
memory/1568-64-0x0000000004070000-0x000000000495B000-memory.dmpFilesize
8.9MB
-
memory/2380-17-0x0000000001C60000-0x0000000001D60000-memory.dmpFilesize
1024KB
-
memory/2380-18-0x0000000001BB0000-0x0000000001C1E000-memory.dmpFilesize
440KB
-
memory/2380-107-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/2380-74-0x0000000001C60000-0x0000000001D60000-memory.dmpFilesize
1024KB
-
memory/2380-19-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/2380-340-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/2380-68-0x0000000001BB0000-0x0000000001C1E000-memory.dmpFilesize
440KB
-
memory/2508-513-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2532-63-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/2532-2-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB
-
memory/2532-0-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2532-66-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB
-
memory/2532-1-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/2788-160-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/2788-161-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2788-181-0x00000000058B0000-0x0000000005C04000-memory.dmpFilesize
3.3MB
-
memory/3728-155-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3728-154-0x0000000003B70000-0x0000000003F69000-memory.dmpFilesize
4.0MB
-
memory/3728-370-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3728-353-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3884-483-0x00007FF685600000-0x00007FF686109000-memory.dmpFilesize
11.0MB
-
memory/3884-491-0x00007FF685600000-0x00007FF686109000-memory.dmpFilesize
11.0MB
-
memory/3884-493-0x00007FF685600000-0x00007FF686109000-memory.dmpFilesize
11.0MB
-
memory/3884-498-0x00007FF685600000-0x00007FF686109000-memory.dmpFilesize
11.0MB
-
memory/3884-495-0x00007FF685600000-0x00007FF686109000-memory.dmpFilesize
11.0MB
-
memory/3884-518-0x00007FF685600000-0x00007FF686109000-memory.dmpFilesize
11.0MB
-
memory/4044-45-0x0000000003B20000-0x0000000003F1F000-memory.dmpFilesize
4.0MB
-
memory/4044-180-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4044-47-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4044-46-0x0000000003F20000-0x000000000480B000-memory.dmpFilesize
8.9MB
-
memory/4044-133-0x0000000003B20000-0x0000000003F1F000-memory.dmpFilesize
4.0MB
-
memory/4092-519-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4092-534-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4092-552-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4440-77-0x0000000004F60000-0x0000000004FC6000-memory.dmpFilesize
408KB
-
memory/4440-135-0x00000000074E0000-0x00000000074EA000-memory.dmpFilesize
40KB
-
memory/4440-67-0x0000000002500000-0x0000000002536000-memory.dmpFilesize
216KB
-
memory/4440-147-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4440-69-0x00000000052F0000-0x0000000005918000-memory.dmpFilesize
6.2MB
-
memory/4440-141-0x0000000007580000-0x0000000007588000-memory.dmpFilesize
32KB
-
memory/4440-73-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4440-139-0x0000000007550000-0x0000000007564000-memory.dmpFilesize
80KB
-
memory/4440-70-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4440-75-0x0000000004D40000-0x0000000004D62000-memory.dmpFilesize
136KB
-
memory/4440-76-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4440-103-0x0000000007850000-0x0000000007ECA000-memory.dmpFilesize
6.5MB
-
memory/4440-108-0x000000006FB70000-0x000000006FBBC000-memory.dmpFilesize
304KB
-
memory/4440-134-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/4440-131-0x000000007F6A0000-0x000000007F6B0000-memory.dmpFilesize
64KB
-
memory/4440-78-0x0000000005150000-0x00000000051B6000-memory.dmpFilesize
408KB
-
memory/4440-99-0x0000000005E10000-0x0000000005E2E000-memory.dmpFilesize
120KB
-
memory/4440-111-0x000000006FD40000-0x0000000070094000-memory.dmpFilesize
3.3MB
-
memory/4440-130-0x00000000073D0000-0x00000000073EE000-memory.dmpFilesize
120KB
-
memory/4440-100-0x0000000005EB0000-0x0000000005EFC000-memory.dmpFilesize
304KB
-
memory/4440-101-0x0000000006370000-0x00000000063B4000-memory.dmpFilesize
272KB
-
memory/4440-102-0x0000000007150000-0x00000000071C6000-memory.dmpFilesize
472KB
-
memory/5036-110-0x000000007F570000-0x000000007F580000-memory.dmpFilesize
64KB
-
memory/5036-136-0x0000000007EA0000-0x0000000007F36000-memory.dmpFilesize
600KB
-
memory/5036-105-0x0000000007C30000-0x0000000007C62000-memory.dmpFilesize
200KB
-
memory/5036-106-0x000000006FB70000-0x000000006FBBC000-memory.dmpFilesize
304KB
-
memory/5036-148-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/5036-109-0x000000006FD40000-0x0000000070094000-memory.dmpFilesize
3.3MB
-
memory/5036-80-0x00000000060D0000-0x0000000006424000-memory.dmpFilesize
3.3MB
-
memory/5036-79-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/5036-132-0x0000000007C90000-0x0000000007D33000-memory.dmpFilesize
652KB
-
memory/5036-104-0x0000000007A80000-0x0000000007A9A000-memory.dmpFilesize
104KB
-
memory/5036-137-0x0000000007DA0000-0x0000000007DB1000-memory.dmpFilesize
68KB
-
memory/5036-138-0x0000000007DE0000-0x0000000007DEE000-memory.dmpFilesize
56KB
-
memory/5036-140-0x0000000007E40000-0x0000000007E5A000-memory.dmpFilesize
104KB
-
memory/5036-71-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/5036-72-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/5108-159-0x0000000004740000-0x0000000004750000-memory.dmpFilesize
64KB
-
memory/5108-158-0x0000000004740000-0x0000000004750000-memory.dmpFilesize
64KB