Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
22-04-2024 08:50
General
-
Target
35c4271577d3f6d7252fbd9b68fd35ae53a15653120073362eddccd086013003.exe
-
Size
3.1MB
-
MD5
68ef35fcc712865e0bcd9b914b2f20dd
-
SHA1
807a84f9718c0295cae0f743de34195117977d95
-
SHA256
35c4271577d3f6d7252fbd9b68fd35ae53a15653120073362eddccd086013003
-
SHA512
b5be8285bc8132b289726e6a89485ecd3f49b47b6fd6694c58cd8eb677fdc45a09c4f9ce83e8a5e21d17c7b64cf337d22dbcd7a405fe37ab1a2bdb0c7a652fbf
-
SSDEEP
49152:SIzYhTST0mYRT0SJNhcJFjBylfG1ihHXnppDBzWX1v:sTwaNhcJZUlUihppDBzWX1
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
LiveTraffic
4.184.225.183:30592
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 1 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c4271577d3f6d7252fbd9b68fd35ae53a15653120073362eddccd086013003.exe"C:\Users\Admin\AppData\Local\Temp\35c4271577d3f6d7252fbd9b68fd35ae53a15653120073362eddccd086013003.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000055001\8efc78470c.exe"C:\Users\Admin\AppData\Local\Temp\1000055001\8efc78470c.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa082ab58,0x7fffa082ab68,0x7fffa082ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3284 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4524 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1660,i,8642454522065702832,12321538323561603140,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Temp\1000056001\69643659ec.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\69643659ec.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 8043⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5728 -ip 57281⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5bd1c1d25e0c367be07d118ce60c4a82d
SHA1c8ccea23776f5fcf415ec5850e063986ccf7493a
SHA256c7aaeea80b33d317518a7fbd2906829ed5bb4a4671134735f7bb9e2ea69cd943
SHA512bd7b12de255b5a2a24c9c0a0e6fa584b861d6bf688825901f25aec07fc707e1040d10eb42b1649f56644474b161c85e1162345681ed30697215a7da835529a1b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD5ab28929c7b938699dc95d5ee1ce6c0fd
SHA1a164e658c239382928abbd0ca630570b2a2911c1
SHA2560b507b595e12afc690c6d721803682c8f8fa35dee6fbe3ea3e6e395a81e12214
SHA512f1bf2644a5b198c76f1bf806d6fcc2853e5fe713f1d1a9e84569c371093d9dfd13d7a1b6840b9b33e637f9bef943f1c438f8264ca92159294c208c3dc779419c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
520B
MD5fc10c1205b365fc63a6c27f40b55bfae
SHA1c683717bde7c7dee320d95b546d128c4eda58794
SHA2566d8f852962e47167dcb7281d72f1687968875ff94fb8a296d070c05e1621bb6d
SHA512df84ec089ec6926235a027f983bff1ed4fb607037b450392cdcf95f1605ed663afc5ca4c8786367a9b7562739c6f3e389846afef77f1e9501125ba8b1e2a8439
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5b1edd1725621ef085e01c6d363257c78
SHA1513b6c1ff985296e8b622ddd01727455b398e800
SHA256e05906d43a6f31d45c13c9383363802d2a6d568b2afa25ae9fb5f5d1f4507dd9
SHA51287f216fe346c645bec31c99517147cb0c3a6b2a556dbcfb0021a7ed04655d275bb0810257d76629297c1c525d879ffc299593e9ca77ad16da332b3e4f32c54ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD57cec70226c2b30647ea83df4850cd52d
SHA1946c410bdfaf70d72d97995138749e57fcd54fa4
SHA256b8511c7d62a31fd7c8865f74e9ebf525d3887943b2f5b5cc24c83b793f79ac41
SHA51239d6dc154dd99ccf179df6529f1557f6d8e80aff1ddff09307bf397fbf673536f961d9dbd48234896b6fa62bfc93b0cbc02bf6c993d9d109c62622d400ada9cc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD51a1d526cbe49e8a8731d4e01085f8452
SHA174fa5eb865252e7e7d44f44e811976559af591bd
SHA2563916616693db9a097310508c5f18c04a98204af4add01df088a96df9da8a9d41
SHA512d387e61786ac8799f3ab14e368ca68c99883313fbd25e5b8987f6d611bd3854c28adddf5e01cd0d02067bddb3e15189b50f9e4b61837ee05f68e5daf170c664c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD574cd4674166ac8f1bea0a81b6bb8eabc
SHA10e7e9faee65e22e86a0f47664f3489c12e710d90
SHA256430d083ba64e6ecf668e892360b5a4a3423ff492e84f01f14aa69957de2e1e44
SHA512ce07207402aefa1503da21c5cc29e55f777abd5a04b2b41061c6d6a37da7ec3a2df0388c7481bf0c71e4f656cb703ca19c6ecde9cbe5ae21d2948321ee7d7391
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
3.1MB
MD568ef35fcc712865e0bcd9b914b2f20dd
SHA1807a84f9718c0295cae0f743de34195117977d95
SHA25635c4271577d3f6d7252fbd9b68fd35ae53a15653120073362eddccd086013003
SHA512b5be8285bc8132b289726e6a89485ecd3f49b47b6fd6694c58cd8eb677fdc45a09c4f9ce83e8a5e21d17c7b64cf337d22dbcd7a405fe37ab1a2bdb0c7a652fbf
-
C:\Users\Admin\AppData\Local\Temp\1000055001\8efc78470c.exeFilesize
1.1MB
MD51a2a9e7fb501cc9f7c6775d4484489c2
SHA186dba896d0c774893be462dad4f3e7da5bb3e4b7
SHA256fbc5fb232fac8efebcbf7c188ff32e56742e2d6dd88e09f78fdfe014643c45b1
SHA5120bceddd551624e4ca323f7ecef8897e8ddac71f13eca7bd4dfb80ea3539e0b444b33530aa04dc8df42675fb4ebda54a769a6e9f12b6de6a85fe836d93b4d302e
-
C:\Users\Admin\AppData\Local\Temp\1000056001\69643659ec.exeFilesize
2.3MB
MD5d88806d74b9aabd13af64b05ab541c25
SHA1c7f0bf36be6487fa63ba705f40dd547eb48d158b
SHA2562ee5ec104a29860cb1c1887e9ac868391e8d5dcdc70fe05a64383e1a64d2081a
SHA51278d4b8876d2a319e56a0ffad679b3a42a6567eab5d8efe85ac0fdbacfc42a92314fc887f7a129cac80889a030a73b9dd3ff5b6832e8bcfa79df107c51ecf927e
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exeFilesize
1.8MB
MD54ef2f13cc3d39f2d92602363bdc73de7
SHA12e759549065b33329eced0f96977ec70c0984bfd
SHA2562ce9797ab83e5441a1ba4baef6d85589760a2674c7f44573787e05a74db7827a
SHA5127935056156b6164f868b9ff389166b89c87d34d53230988f8bbd3974ccdf74e1a495cff987921088a37a6f46b13a0316672613d2b88062f73c3128636de74d3c
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
488KB
MD582053649cadec1a338509e46ba776fbd
SHA16d8e479a6dc76d54109bb2e602b8087d55537510
SHA25630468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e
SHA512e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\Tmp5762.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ym53w1lx.pk5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp6B0C.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp6B4E.tmpFilesize
100KB
MD56d242e9151b8b7460c58d840c0c90ac6
SHA11f75ebb9f99c53bcb9c5060d92e8a82930299216
SHA2561fbfa53be1ed175adae59b6d0342c634fc132205ae2d7c449836db65dabebbcd
SHA512071c41f9d928936a635389b0557ef4e94dc639b53586268f78388ec4b8f3cf72f4a569989819d44639ab54129938e4ffd906c42a55235860f583907cda714e10
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355664440-2199602304-1223909400-1000\76b53b3ec448f7ccdda2063b15d2bfc3_3c734e9a-b312-446c-8ead-b81d533e01b5Filesize
2KB
MD5330dfb28ecd5831654a1e37f246412b2
SHA1ee15e702f12d2b844ce420a11d4cd3f4ba97cc6c
SHA256e6f1f8050e116057bdd1e83eeae65f085764606b39c9448046c0906d085deb4d
SHA5125abc6b5502f2307478838e393ab4e293c7e73566eea76068b5c9b65538c604a62ce3f2fc1f920bce6df8b06c21e8f80dd45a31acfcfb64bcb912d01994c1d250
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5b6b5cafcd706c664afdcff9675b3ef3f
SHA1e7bdfb01be7edd492eafe4c868127670c0bb6d7a
SHA2567088b9ec29db6f9b7b941a9a29351ab454a8bb66a2b5948c7c8a235ae055c25e
SHA5120c4c5f0f988753aaef613d615d38ce64418f3f5af16d6676c90a69e3ee056a87a8ca6e740da461ec4bf13cf52727a42adc8e223ea73ef46628a629305fbffc51
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5ad80a4951a5d7e58d69a2894fa5c6c07
SHA1b5e7923cbde7dd0db6cc59baaac0b59c57a432ba
SHA25622ca32a5149308ba55bf1d441656e502c7830b40505256044e88cdb2c9721d72
SHA5122226171f44ca8ddbf3ac12d1f68453092d929b2974df6003be2d8672ab8200ac41773f094495a2549f10915907417d19ae969464350ce18bf6db893d9a01d0e5
-
\??\pipe\crashpad_1596_AWSQWUFEVRWLHGDYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/516-267-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/516-258-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/516-260-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/516-259-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/516-261-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/516-263-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/516-262-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/516-264-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/516-268-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/516-257-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/516-272-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/548-694-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/696-356-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2076-438-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2400-439-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-581-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-654-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-670-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-675-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-681-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-697-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2400-701-0x0000000000DE0000-0x0000000001299000-memory.dmpFilesize
4.7MB
-
memory/2472-6-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/2472-21-0x0000000000A80000-0x0000000000D9D000-memory.dmpFilesize
3.1MB
-
memory/2472-0-0x0000000000A80000-0x0000000000D9D000-memory.dmpFilesize
3.1MB
-
memory/2472-1-0x0000000077D74000-0x0000000077D76000-memory.dmpFilesize
8KB
-
memory/2472-2-0x0000000000A80000-0x0000000000D9D000-memory.dmpFilesize
3.1MB
-
memory/2472-3-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/2472-8-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/2472-7-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2472-5-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/2472-4-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/2472-9-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/3440-611-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3440-607-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3956-39-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/3956-36-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/3956-34-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/3956-38-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/3956-42-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/3956-40-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/3956-37-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/3956-43-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/3956-35-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/3956-41-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/4416-199-0x00007FFF9C9A0000-0x00007FFF9D461000-memory.dmpFilesize
10.8MB
-
memory/4416-210-0x00007FFF9C9A0000-0x00007FFF9D461000-memory.dmpFilesize
10.8MB
-
memory/4416-201-0x0000029A39BA0000-0x0000029A39BB0000-memory.dmpFilesize
64KB
-
memory/4416-200-0x0000029A39BA0000-0x0000029A39BB0000-memory.dmpFilesize
64KB
-
memory/4416-194-0x0000029A53A80000-0x0000029A53AA2000-memory.dmpFilesize
136KB
-
memory/4416-202-0x0000029A39BA0000-0x0000029A39BB0000-memory.dmpFilesize
64KB
-
memory/4416-203-0x0000029A53F90000-0x0000029A53FA2000-memory.dmpFilesize
72KB
-
memory/4416-204-0x0000029A53F70000-0x0000029A53F7A000-memory.dmpFilesize
40KB
-
memory/4876-136-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-32-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/4876-217-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-699-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-274-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-31-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4876-696-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-30-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/4876-579-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-653-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-29-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/4876-115-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-28-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/4876-27-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/4876-391-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-25-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/4876-26-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/4876-680-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-116-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-24-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4876-23-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-22-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-168-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-266-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-674-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-669-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/4876-231-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/5280-326-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5280-323-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5296-296-0x00000000000D0000-0x00000000003ED000-memory.dmpFilesize
3.1MB
-
memory/5808-137-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/5808-148-0x0000000005200000-0x0000000005202000-memory.dmpFilesize
8KB
-
memory/5808-142-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/5808-615-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-145-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/5808-232-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-184-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-143-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/5808-211-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-656-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-528-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-144-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/5808-135-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-672-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-147-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/5808-146-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/5808-676-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-138-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/5808-139-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/5808-140-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/5808-695-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-297-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-220-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-698-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-273-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-700-0x00000000004C0000-0x0000000000AA3000-memory.dmpFilesize
5.9MB
-
memory/5808-141-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB