Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
21-04-2024 08:54
General
-
Target
f2781f5471c02f19dceb8e8c5d20f4725aeb126a99447f6fcfdfd80dcac43060.exe
-
Size
1.8MB
-
MD5
7fd766b6faa6e701213ba850c7a809c4
-
SHA1
58d779bb83aa9cae0b61e5e6fb387c4a61a94ae1
-
SHA256
f2781f5471c02f19dceb8e8c5d20f4725aeb126a99447f6fcfdfd80dcac43060
-
SHA512
23a3192c2683baa51a7fa27e12efb20cd06be15b6321d2727d6bbe73ea649bab5af321727aa76ef39d56940ac9d275e66eed7a20295f7dc0f02d0f8ffca04a9a
-
SSDEEP
49152:ttRJNQ/tHqrX57HftH804qmkSe119kplZYtAFTe7Gzo:tw/tHw5Lftts2116i6e7N
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
redline
LiveTraffic
4.184.225.183:30592
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
xehook
https://unotree.ru/
https://aiwhcpoaw.ru/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Xehook Payload 1 IoCs
-
Detect ZGRat V1 2 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 9 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Xehook stealer
Xehook is an infostealer written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 24 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2781f5471c02f19dceb8e8c5d20f4725aeb126a99447f6fcfdfd80dcac43060.exe"C:\Users\Admin\AppData\Local\Temp\f2781f5471c02f19dceb8e8c5d20f4725aeb126a99447f6fcfdfd80dcac43060.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u15s.0.exe"C:\Users\Admin\AppData\Local\Temp\u15s.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 10965⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 3884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe"C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\NSxGsWr0YemtFl065lNk2UvU.exe"C:\Users\Admin\Pictures\NSxGsWr0YemtFl065lNk2UvU.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\344820275820_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3016 -ip 30161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3576 -ip 35761⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3324 -ip 33241⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Modify Registry
6Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD585b9cc9025322c39ee862e74568559fe
SHA1100c4c6c0b341a09d8ebcc471bb326a12e700997
SHA256861fa36fed0da433242f961cd6b05a01b6f6f1f04ab2c9555cfc357469e57951
SHA512e88cb9995edd0f0ef57d77798c0d949a287b7b92f430e669cfd55197395f9a7298081aa49aef4f0f315845d524c139774ebb2f8e83261f9c731e033671bf3cd8
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
488KB
MD582053649cadec1a338509e46ba776fbd
SHA16d8e479a6dc76d54109bb2e602b8087d55537510
SHA25630468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e
SHA512e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exeFilesize
1.6MB
MD5aac0da2ad89fb5c5e8f9126d36e9ffc9
SHA1769d80b96a26201151f8d93c33d0c1e7d54bcba4
SHA25674abaa32980ad9cc7e5df7d4430c8b93e70d4ee711c5c6b9ecbcb80658b1e927
SHA512decbcf5f6336fdba4b56026cc0c7436c5bfdc02e2efa3c81ad0e0ae31de657111369034cd05b181afd75f5e7894a788f2102dd47cfc99f8e7fafddaf7e491eac
-
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exeFilesize
273KB
MD5e795115169cc800de0392d6a675d58fd
SHA18dd75837e360ba1cb8acf5a3d348dd020a5da482
SHA25617f929c1d40a7fd6f897c0b15ca9c44b2059cbccb3037c31619d87954659478e
SHA5125fb6543e91de175bd365462a1cc87d6772e43b0effd3757b3e408b08a4de5a004de9a85e7f1d09578fa3bc6b6486c5f5016c1b879496582dbb39b2e62e168f38
-
C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exeFilesize
427KB
MD596cb2e366cff033aac894dd0dd0f71f6
SHA1874482f06a0c85eb475c503a237e98864ebb220a
SHA256b1887de18886f2e92a9807229c9f5c70a6152d3851bcc094006b8eb2d3857a68
SHA51224e2ae76be23acd76fa5ef43179942adf7354062921a85aec3cfaad05a15f5b30a85f1d0a43a79f8eba85d1d0ab6c3f78aea56c7b06d11dad018657da04abaa0
-
C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exeFilesize
283KB
MD5ace2b92a3208dec19577cbac84d543b2
SHA1c40b8908ebbfa819c3581ec85bfca66bca77b605
SHA2561d5fe89aae579ea253d121deb90c9a61f94ddab13ff51f58f939a57f0edab73e
SHA512e7e6244087d993ae9beac2fba78452c3eb55f52cbcf515a5888e6078d87f235f1f54c12408eb4d0457102d22a8aa18d069dda0788cce72b0b456a74f7439459f
-
C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.1MB
MD53e6c7d7a4d435585e2c6b595644fa996
SHA115ab1fa590e3a200783198ccdaf80fbc649ab61e
SHA256f26dc3f7fcaf7d8fb2bdc1238e4344f9f7c892f807f8cee78fbda1a9da2abd48
SHA5122a5f75fd8edd0e0c4e6de73c8ed6ad733f019361e87b538f48a57a0661955e03dc0e9fbe40d86adb6edc8460571702286f84009dd4e1c9c5fed9870e349aba35
-
C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exeFilesize
556KB
MD5e1d8325b086f91769120381b78626e2e
SHA10eb6827878445d3e3e584b7f08067a7a4dc9e618
SHA256b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934
SHA512c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeFilesize
1.8MB
MD57fd766b6faa6e701213ba850c7a809c4
SHA158d779bb83aa9cae0b61e5e6fb387c4a61a94ae1
SHA256f2781f5471c02f19dceb8e8c5d20f4725aeb126a99447f6fcfdfd80dcac43060
SHA51223a3192c2683baa51a7fa27e12efb20cd06be15b6321d2727d6bbe73ea649bab5af321727aa76ef39d56940ac9d275e66eed7a20295f7dc0f02d0f8ffca04a9a
-
C:\Users\Admin\AppData\Local\Temp\TmpC525.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfqppv5e.ezv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\u15s.0.exeFilesize
283KB
MD5329bc43cda762f853095671ec1454c8f
SHA1ad03097d49c3d5f6f9527036872dc399a27ef4c2
SHA25677d2045b214ad57a071131305a0dcdcaf51fde050bd0de0ece82d7ccc43ed584
SHA512240baaaa1330186096cf71d772adfb623a49ddb9ea02ea525bacd59180f38d3209fd2ac48508ad8ff85f302a9487b0fb7ce47f9b3757c76a97d80fb14b8910b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-834482027-582050234-2368284635-1000\76b53b3ec448f7ccdda2063b15d2bfc3_caae426a-21ee-4785-9d39-36619a8eb310Filesize
2KB
MD500b680ee5ba5d1df19e9d980daae1d14
SHA126307af060786625d5de372652a8e11af754b24d
SHA2564757e0adc1780344c742576e02d86902b49876b52473b3615823a1ca3168d6de
SHA51287b987aade1fa82cca3255754752b9f50528aace4f9c5405849f020876bbed8a021dc6fdaf6715fc185e1b94ab0afd104ac730c48a85bfc10834d58272a82b5f
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5b3afd3a04664918209c049aea4070627
SHA11f262e45ab8ae773b6f1f0a1bb1b0ed1df91e720
SHA256e86abc771af38dee0a6e37b55f113d8a9a34d426f6419ccb59f8ef43f7fba7d7
SHA5127bc37d3619adc0cce4cda640024cd9e75be97db8bf9a47acbb9b02b55e6261defaa7788076ca761638018b3a41075dad53e023caa5310576dce0de813e82e170
-
C:\Users\Admin\Pictures\NSxGsWr0YemtFl065lNk2UvU.exeFilesize
4.1MB
MD5db117a12dc77d05d91cb7c79917152a5
SHA1a1a4b1eeec5e78cfbaad2a106b97029530b65718
SHA25623f4ed851cba5df64e6eb490e6d049c084118fd5b67019aad8088cc720f7e2a5
SHA512196023c8a801decacb2e6f43ff1a4bf8952b6db0636e584ef130fa6d18f926da7784c8acdea731d4bff64c323f7f6f21615c078730150ee3951986935b8cf645
-
C:\Users\Admin\Pictures\qD7kWN0sJYUdWDldoPXZEObc.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5f219a3a45546d718b1bf5be5d9eded4e
SHA150e9d3ae83f433b61586c6ad4056cd078e42b95a
SHA2569ef3925522b8c5cf57dcc5849732c380ac6381edfadfa9238a80bcea96680f49
SHA5128a042ae080663905b4fac85519eff82b8cf0a580ec57da56901d3aa25c319b5d4b1d3305a12e2b69c357f483c5b1823d62eb22c80af533b31b2eb8cc5172bc31
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD553e17a96aa52a9d16712ea26d457f77e
SHA1f61f865dc75260bb82207078f951a556f14adb85
SHA256cfdf5bdc4ac07c49c3e541007db0117f36dc12fbc28350ab2ea7e9a97c7b91d7
SHA5129080ce4101743f8e70c873e9c447a3c016bfaef15e93b347a151f6601c13dc5dd251ec0558db58c0c281fadc9fd577cda9e018fa04b53372238cfe408ff8afcf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59b7ff14c59f09fb4b25e188f7a5d9604
SHA162a0d15a9d70d254532e0fde1b3409e106f3b2ae
SHA2568e36363fae0a3c8024356d777c78ca718e622145f7023433fe8ffa8917bd79b5
SHA51224f28274929446eace13c3240f562d69a81efd385c02d72eded96cabfff9d7e6721aff66d48935fcbad86a201bdfdbbb5f39079a0ef194efa12f73ff9dbefcd5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a9d5bd83ea6d51d4a541d68cd375b72b
SHA1f02f810f5bbcac410e79351c5e9e8c83a6c544b6
SHA256bd2a66fb4e7116e88e3c7c0326bacbe37520440010872e438ac0db2523e20ea2
SHA51282a90fd80e791e263ea1fea6f499722477aa77025529c923956b8be862586050431ea05d980d487071be16a3557ef19d1ca365ae805a8adbec9de9ea8666f242
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59ab7d9f60279a5871f9e75cb5249191c
SHA116b99dfa7703910eb732452f266d44efe4ae7b80
SHA256caf41a0f4928550c4a54fd2784e37242d2da0481dd4cece2b43a48816c53ca51
SHA512d114a447e617e9fe8f9fd9a487f427dfd419e7c06d55b55d601903d3f5a1ebbf910e79791ff8066449ec851cc9d3e5cdcc772006496b41f3337a22f717deef4a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a2d0c4b14c5272c912084ce2ed8a667e
SHA1fc0951f155d3a8e561a7d690745a75d447bfae70
SHA2566929cfb84c88f1af4c11aa0a3bb13bc6c35284cc06d8924a54a01d63d5396538
SHA512e58387ce488e72981867e3bd961db0e1bffca18455dd148bc7c2584dd2a6b6db9fb9577f85ccb0749e1e61e84b2a463b727abd43ec6308682dcd020da426ddfc
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/400-136-0x0000000006B20000-0x0000000007138000-memory.dmpFilesize
6.1MB
-
memory/400-132-0x0000000005A90000-0x0000000005B06000-memory.dmpFilesize
472KB
-
memory/400-216-0x00000000068C0000-0x0000000006926000-memory.dmpFilesize
408KB
-
memory/400-137-0x0000000006670000-0x000000000677A000-memory.dmpFilesize
1.0MB
-
memory/400-108-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/400-109-0x00000000005B0000-0x0000000000602000-memory.dmpFilesize
328KB
-
memory/400-110-0x0000000005460000-0x0000000005A06000-memory.dmpFilesize
5.6MB
-
memory/400-111-0x0000000004F90000-0x0000000005022000-memory.dmpFilesize
584KB
-
memory/400-140-0x0000000006780000-0x00000000067CC000-memory.dmpFilesize
304KB
-
memory/400-114-0x0000000005140000-0x000000000514A000-memory.dmpFilesize
40KB
-
memory/400-139-0x0000000006610000-0x000000000664C000-memory.dmpFilesize
240KB
-
memory/400-138-0x00000000065B0000-0x00000000065C2000-memory.dmpFilesize
72KB
-
memory/400-117-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/400-133-0x00000000063E0000-0x00000000063FE000-memory.dmpFilesize
120KB
-
memory/840-7-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/840-2-0x00000000003F0000-0x00000000008A9000-memory.dmpFilesize
4.7MB
-
memory/840-6-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/840-0-0x00000000003F0000-0x00000000008A9000-memory.dmpFilesize
4.7MB
-
memory/840-3-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/840-1-0x0000000077476000-0x0000000077478000-memory.dmpFilesize
8KB
-
memory/840-8-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/840-13-0x00000000003F0000-0x00000000008A9000-memory.dmpFilesize
4.7MB
-
memory/840-5-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/840-4-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/1288-113-0x00000000006C0000-0x000000000074C000-memory.dmpFilesize
560KB
-
memory/1288-115-0x00007FFE7DDD0000-0x00007FFE7E892000-memory.dmpFilesize
10.8MB
-
memory/1288-116-0x000000001B4E0000-0x000000001B4F0000-memory.dmpFilesize
64KB
-
memory/1288-202-0x000000001DF90000-0x000000001E006000-memory.dmpFilesize
472KB
-
memory/1288-206-0x000000001ECE0000-0x000000001F208000-memory.dmpFilesize
5.2MB
-
memory/1288-205-0x000000001E5E0000-0x000000001E7A2000-memory.dmpFilesize
1.8MB
-
memory/1288-204-0x000000001B4E0000-0x000000001B4F0000-memory.dmpFilesize
64KB
-
memory/1288-182-0x000000001DA80000-0x000000001DB8A000-memory.dmpFilesize
1.0MB
-
memory/1288-183-0x000000001B820000-0x000000001B832000-memory.dmpFilesize
72KB
-
memory/1288-184-0x000000001C3B0000-0x000000001C3EC000-memory.dmpFilesize
240KB
-
memory/1288-203-0x000000001C3F0000-0x000000001C40E000-memory.dmpFilesize
120KB
-
memory/1288-201-0x000000001B4E0000-0x000000001B4F0000-memory.dmpFilesize
64KB
-
memory/1356-16-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-713-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-680-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-83-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-593-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-702-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-17-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-19-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1356-787-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-518-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-25-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/1356-276-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-736-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-717-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-24-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/1356-158-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-20-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/1356-21-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/1356-22-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/1356-430-0x0000000000630000-0x0000000000AE9000-memory.dmpFilesize
4.7MB
-
memory/1356-23-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/1356-18-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/1396-754-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1504-451-0x0000000000400000-0x0000000001A35000-memory.dmpFilesize
22.2MB
-
memory/1504-789-0x0000000000400000-0x0000000001A35000-memory.dmpFilesize
22.2MB
-
memory/1880-229-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/1880-88-0x0000000005740000-0x0000000005750000-memory.dmpFilesize
64KB
-
memory/1880-87-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/1880-81-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2160-712-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2676-54-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/2676-55-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2676-52-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2676-49-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2760-159-0x0000000000480000-0x00000000004FD000-memory.dmpFilesize
500KB
-
memory/2940-517-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3016-56-0x0000000072E30000-0x00000000735E1000-memory.dmpFilesize
7.7MB
-
memory/3016-45-0x0000000000240000-0x0000000000292000-memory.dmpFilesize
328KB
-
memory/3016-46-0x0000000072E30000-0x00000000735E1000-memory.dmpFilesize
7.7MB
-
memory/3016-53-0x00000000027D0000-0x00000000047D0000-memory.dmpFilesize
32.0MB
-
memory/3336-316-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/3336-286-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3336-282-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3580-603-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3580-609-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3664-161-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/3664-78-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/3664-76-0x0000000000A00000-0x0000000000BBC000-memory.dmpFilesize
1.7MB
-
memory/3664-77-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/3860-174-0x0000000005070000-0x0000000005080000-memory.dmpFilesize
64KB
-
memory/3860-157-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3860-160-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/4508-718-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4508-788-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4508-737-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4508-715-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4508-706-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4508-701-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4744-772-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4744-716-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4956-230-0x0000000072E20000-0x00000000735D1000-memory.dmpFilesize
7.7MB
-
memory/4956-231-0x00000000004D0000-0x0000000000522000-memory.dmpFilesize
328KB