Analysis
-
max time kernel
71s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
24-04-2024 19:58
General
-
Target
6b65f53cd057bf1daf25a203f33a65cb15116a413f67a9d1bc78054a48682122.exe
-
Size
1.8MB
-
MD5
a3cb36909081bd86623c079c3efec8bb
-
SHA1
019d1edfde5fc36cfea8b5dbde117e18d6ee7121
-
SHA256
6b65f53cd057bf1daf25a203f33a65cb15116a413f67a9d1bc78054a48682122
-
SHA512
da1ad2668d9a52859e4dff78ee457419ef9ce6001f8b7ef96ad1b314339abc712aeae67f3e13b7e356d8a6b48860ef3df8965858566fc079b617ddf7a16530f0
-
SSDEEP
49152:bQXMT4dCdX3+MG7BfdwLhwKj3saZKmCrIP9QJpL:bu49LGv8TzswRMIFQJpL
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 4 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 11 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b65f53cd057bf1daf25a203f33a65cb15116a413f67a9d1bc78054a48682122.exe"C:\Users\Admin\AppData\Local\Temp\6b65f53cd057bf1daf25a203f33a65cb15116a413f67a9d1bc78054a48682122.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 8523⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\288054676187_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 3363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 3723⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\usc.0.exe"C:\Users\Admin\AppData\Local\Temp\usc.0.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 12925⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\usc.2\run.exe"C:\Users\Admin\AppData\Local\Temp\usc.2\run.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000224001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000224001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 3564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
-
C:\Users\Admin\Pictures\VcgzGuPXLyqK9YGoc0pt2IF8.exe"C:\Users\Admin\Pictures\VcgzGuPXLyqK9YGoc0pt2IF8.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\u41c.0.exe"C:\Users\Admin\AppData\Local\Temp\u41c.0.exe"5⤵
-
C:\Users\Admin\Pictures\sdPVER9GMbrkkKNVFRX7Z8gd.exe"C:\Users\Admin\Pictures\sdPVER9GMbrkkKNVFRX7Z8gd.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\sdPVER9GMbrkkKNVFRX7Z8gd.exe"C:\Users\Admin\Pictures\sdPVER9GMbrkkKNVFRX7Z8gd.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\JSZbBTLy2okY4IPxuCteHtbO.exe"C:\Users\Admin\Pictures\JSZbBTLy2okY4IPxuCteHtbO.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\JSZbBTLy2okY4IPxuCteHtbO.exe"C:\Users\Admin\Pictures\JSZbBTLy2okY4IPxuCteHtbO.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2676 -ip 26761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 440 -ip 4401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 748 -ip 7481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2824 -ip 28241⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a1f9eb583f190711f629ca8d6218210f
SHA112c12629b6e9cb75b502de7f777a16445688dfd0
SHA25635a339a481c7acee4c333214d2ff3dc0bbd91ef37deddcda31d2ca7bedde2027
SHA512a5d3bcc77471cdf6a47a4915795ada7fdc0ea1726a10fcf9eaff110e7ba69d237b13d6a58555890757873d4834b2f4ddea6c8ab481ad1eb0de06a30892549235
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD541cfa0dbedc4b85eac1785481bc39187
SHA12c8c43f1bc99d1515e4820a79a30ee7d1b7b2700
SHA256262c1e14412634000ea6f3c88d0986ee759ce9cde2c4f030e5d2cc79a3e3abf0
SHA512f5a6374574b70c77f0bb12ab7efd523d6e420532390b58a045a55d54e11f6dc2a1ff4ceba4575b0db6d8b78162300e64534a54f53cc3a9280a5594f1bd97f66b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5baa7aea69f1fc6de5c6744a3de244d9c
SHA17ac32cd8e4afa29cbb6c04bb8727735c29ebadc5
SHA256adb474e336b151cf28ead952e8248f9ec8daf30aadc78e716822d9c27f6dde69
SHA5124927c72a9d778a8343f812714356150069349e39937f2e32c62f19ffee226b94eada91756f07f96e22472252f20185177038b3e1e1dd7b8920d676e4e2198f0c
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exeFilesize
768KB
MD596b291b8b678331caaa8910e6c5b5676
SHA1d5411828c36192751915493d99404dd84b7cd188
SHA25627b3a4cb988e416a260c7287b59fc72cd4d7cb4b94f25daa01daab2ea192da2b
SHA51221d4fbc3060a202f873a3d23f5956409070f5acb64d423070e97b1f909897619e6cf3be90b1574552494a7ce1ac12d4139e3626cd737ab1fffdde321cd30924e
-
C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exeFilesize
413KB
MD5461e619436f4b328d77434ccdad9e0ff
SHA1bde2eb7c03b7bee0eba6f7cb4242b57e9b444357
SHA2563e570a6ae430477ac8e91f06800255944007f2e731c8de037cd95d718357919e
SHA5126ed8b3938cb5b2233f75c1b31cbca7c1f818d772b26640352787e9f521c949530a52855c88b41a2ce5ca12447deba265e38c69e2f850ced8a2eae0aa54d99f4f
-
C:\Users\Admin\AppData\Local\Temp\1000224001\toolspub1.exeFilesize
263KB
MD5f572d2cf74a7897bebb459dc08a45411
SHA19a6bc0b9670cf1e5ea21876c1a71bafdec32017f
SHA2563460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37
SHA512d75df9d31d36776841854c3708727219380cd8731d0669fd18be634047b7526299bd5e5fa561385e7dce458edee417f08ed779b3a590dc9a71450f6ef3557a33
-
C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.2MB
MD5ee81fb2e4ba5c54ef344bbdeff67dc76
SHA135e4f524ac166d5c2959da6d92b5a13672fb60ca
SHA2561066cfec83931d377bb2e84337221fa4ac47222d2e7ce8d0e0fec6532f373cda
SHA512f0b6c6eade99ed3d60621ac0acb9d0ae15f933986856f090a6e9f7327132545f840f159c5101f38e7cab0acf577969d27536f319e90e9666a90533d10537d9d6
-
C:\Users\Admin\AppData\Local\Temp\178fece4Filesize
1.4MB
MD5f159d5f9e5dfae710d48c76fad864c55
SHA17f45d75ab6527ab07ec50919dfd8f5baf1382cf1
SHA2562fb1847ccb5d4f11e785cbf5a6afeb8ce70a10633f02c1bacf188d622be5b019
SHA51286b49989c2825ba87fb13ad99088a6e09b9f0ec98dbea8d4d0454bede1ef5cd921953beeb85e56fe6229e616837996f91cb70c2e3a07b06880e8d8a1b53ebf3a
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeFilesize
1.8MB
MD5a3cb36909081bd86623c079c3efec8bb
SHA1019d1edfde5fc36cfea8b5dbde117e18d6ee7121
SHA2566b65f53cd057bf1daf25a203f33a65cb15116a413f67a9d1bc78054a48682122
SHA512da1ad2668d9a52859e4dff78ee457419ef9ce6001f8b7ef96ad1b314339abc712aeae67f3e13b7e356d8a6b48860ef3df8965858566fc079b617ddf7a16530f0
-
C:\Users\Admin\AppData\Local\Temp\Tmp28FF.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tv2r1frr.iuz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp78E1.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\tmp79B0.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\usc.0.exeFilesize
268KB
MD50a6450672c527604f9953052a9d66866
SHA1ee4fddc18dc3f61336046cd391b6b18d1c1cbd5f
SHA2564919ecf5a798b9c55dc976178e1440eb6477238f5cb467e7964b5cb5bce298e8
SHA512fefec79e1a688bc391443fc0deb0ef6e6f50d5440d3419b7ec2de0d2d9074ad221f46d76d0aa4cddffb0760338e175fe0492fc743ed25bb3cac008798feeb29b
-
C:\Users\Admin\AppData\Local\Temp\usc.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\usc.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\usc.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\usc.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\usc.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\usc.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5cd7d6bffccf9de2857208ad7cb5033a7
SHA1d328cde3f0b10043c3a5bf824e6b465124ab66fa
SHA2567c332c27d3432b1a65d2b063027ee4b6897d377258318cdffe6c613e6d3afa0a
SHA512e83e264c917954019ac3644a3f02baf888dea0cae785303724599b73b616f479682a1421acccd8cfc3c88bdc5c35b4f33f84faa7fb5c63f58d3e501a5649a5a9
-
C:\Users\Admin\Pictures\Bz5z6ciFkS9eebaslsLLWx3M.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\VcgzGuPXLyqK9YGoc0pt2IF8.exeFilesize
413KB
MD5dece996fefcab2b290082da54942bca0
SHA111b6e3c3fd887964b970952fb5cb3cf10862c1be
SHA25656e4460f9caf322c4bdbf55a900a89e2e68c960f9d305052b5912784b14a59ea
SHA512f77f0ee63e954e8f2f61f02b355025584a3764eacb432b593a11b2ffba51a57cc353eec29c2c2dcccdb9dc348e5c99b197d4b23ea0b6fa5a7c9e9d89e18e9fe9
-
C:\Users\Admin\Pictures\sdPVER9GMbrkkKNVFRX7Z8gd.exeFilesize
4.1MB
MD5f4d30c56518b26ef3165d85732b2fdcb
SHA11eb500d6db8accc1e1015b26e4635a5f2e41fda9
SHA256608dbddbc9be14c5ad1b6e7e444d070a74e00c94e594778e2f52ca50d3a1a4f0
SHA5127a42e1f00f3d0fd9f9f84dcfee7c3a7c363d0927d1777a04dd49f365182039879c501e9527cb2c56b7160fd78cb58db5c7346626e674b5534ce861a594f3ea97
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5b3026d9d4531ff05b668e1701b49a377
SHA10b6b2f0510d639aca3ed2f0f21f40a8cec31d176
SHA256968fe9ec4b781e23e96f79d7f117f36a6820935ff867fa62804211fdaa9a99c1
SHA512944dea13c76d40bc75c8614c7309ccb2185729798f0b857d642fd674c169d0cb1078441962d63d354ee368249f3d1c1b8d04ed4416242ca917834f9577a5bec5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD558694ca44b03a0db50f162047d5dfabb
SHA1361ad85c6cd2cb5dd73cd377ebf2df1cc489af00
SHA256012d1f6756ca5b11dc48cd1757e4d6c16b0ca1792746a8237a9e906225406407
SHA512729fa0d61239fa231627843d0ab2829b292618d2f6a07f5b50a9fc1e4598238f70362c7dec187e3a3fc35c6b49a451fb1bfa88bc3c2baa26824b4b2573eb321f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5024092626c8d95e887ef20138e3dd597
SHA1316c8ee8bc2a8fcb6cb181d9188abf2c64dc5353
SHA2569a05a95aac2803b6d70451cd799628f4974b98946739f17541f7a9ad1f842cdc
SHA5121012579f54b3ac822f2de25aa5ed7012647f887503f39737d7b62355ad9c45d8fb40b37e9e9ace3b0c257e7dd2f227c4525aba3a41367b7d23c3c446b9c5a20f
-
memory/440-100-0x00007FFD06630000-0x00007FFD070F1000-memory.dmpFilesize
10.8MB
-
memory/440-131-0x0000000000630000-0x00000000008E8000-memory.dmpFilesize
2.7MB
-
memory/440-84-0x000001C6092E0000-0x000001C609302000-memory.dmpFilesize
136KB
-
memory/440-91-0x000001C608E40000-0x000001C608E50000-memory.dmpFilesize
64KB
-
memory/440-90-0x000001C608E40000-0x000001C608E50000-memory.dmpFilesize
64KB
-
memory/440-89-0x00007FFD06630000-0x00007FFD070F1000-memory.dmpFilesize
10.8MB
-
memory/440-92-0x000001C608E40000-0x000001C608E50000-memory.dmpFilesize
64KB
-
memory/440-93-0x000001C621A70000-0x000001C621A82000-memory.dmpFilesize
72KB
-
memory/440-94-0x000001C6215C0000-0x000001C6215CA000-memory.dmpFilesize
40KB
-
memory/1020-390-0x0000000000400000-0x0000000004058000-memory.dmpFilesize
60.3MB
-
memory/1020-799-0x0000000000400000-0x0000000004058000-memory.dmpFilesize
60.3MB
-
memory/1284-285-0x0000000000400000-0x0000000004033000-memory.dmpFilesize
60.2MB
-
memory/1344-65-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-25-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/1344-48-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-101-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-27-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/1344-28-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/1344-66-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-1027-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-326-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-930-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-24-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/1344-859-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-423-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-26-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/1344-554-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-163-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-64-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-23-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/1344-221-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-22-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/1344-113-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-767-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-21-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/1344-20-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1344-19-0x0000000000150000-0x0000000000609000-memory.dmpFilesize
4.7MB
-
memory/1996-734-0x000000006B240000-0x000000006B3BB000-memory.dmpFilesize
1.5MB
-
memory/1996-735-0x00007FFD26E90000-0x00007FFD27085000-memory.dmpFilesize
2.0MB
-
memory/1996-796-0x000000006B240000-0x000000006B3BB000-memory.dmpFilesize
1.5MB
-
memory/2276-783-0x0000000000400000-0x0000000004416000-memory.dmpFilesize
64.1MB
-
memory/2464-779-0x0000000000400000-0x0000000004416000-memory.dmpFilesize
64.1MB
-
memory/2648-953-0x0000000000400000-0x0000000004416000-memory.dmpFilesize
64.1MB
-
memory/2648-877-0x0000000000400000-0x0000000004416000-memory.dmpFilesize
64.1MB
-
memory/2676-49-0x0000000000A30000-0x0000000000A82000-memory.dmpFilesize
328KB
-
memory/2676-52-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/2676-57-0x00000000030E0000-0x00000000050E0000-memory.dmpFilesize
32.0MB
-
memory/2676-63-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/2824-301-0x0000000000400000-0x0000000004035000-memory.dmpFilesize
60.2MB
-
memory/2912-162-0x00007FFD06600000-0x00007FFD070C1000-memory.dmpFilesize
10.8MB
-
memory/2912-161-0x0000000000120000-0x00000000001E0000-memory.dmpFilesize
768KB
-
memory/2912-179-0x000000001AE50000-0x000000001AE60000-memory.dmpFilesize
64KB
-
memory/2912-194-0x000000001D6D0000-0x000000001D70C000-memory.dmpFilesize
240KB
-
memory/2912-193-0x000000001D670000-0x000000001D682000-memory.dmpFilesize
72KB
-
memory/2912-192-0x000000001D760000-0x000000001D86A000-memory.dmpFilesize
1.0MB
-
memory/2912-191-0x000000001AE50000-0x000000001AE60000-memory.dmpFilesize
64KB
-
memory/3520-135-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/3520-134-0x0000000072E20000-0x00000000735D0000-memory.dmpFilesize
7.7MB
-
memory/3520-130-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3832-395-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3832-399-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4384-6-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4384-4-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4384-8-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/4384-1-0x0000000077574000-0x0000000077576000-memory.dmpFilesize
8KB
-
memory/4384-5-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4384-9-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/4384-7-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/4384-3-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/4384-10-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/4384-11-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/4384-16-0x0000000000820000-0x0000000000CD9000-memory.dmpFilesize
4.7MB
-
memory/4384-2-0x0000000000820000-0x0000000000CD9000-memory.dmpFilesize
4.7MB
-
memory/4384-0-0x0000000000820000-0x0000000000CD9000-memory.dmpFilesize
4.7MB
-
memory/4668-929-0x000000006B240000-0x000000006B3BB000-memory.dmpFilesize
1.5MB
-
memory/4668-840-0x00007FFD26E90000-0x00007FFD27085000-memory.dmpFilesize
2.0MB
-
memory/4728-452-0x0000000000400000-0x0000000004418000-memory.dmpFilesize
64.1MB
-
memory/4732-212-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4732-215-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4820-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4820-61-0x0000000000FB0000-0x0000000000FE2000-memory.dmpFilesize
200KB
-
memory/4820-60-0x0000000000FB0000-0x0000000000FE2000-memory.dmpFilesize
200KB
-
memory/4820-59-0x0000000000FB0000-0x0000000000FE2000-memory.dmpFilesize
200KB
-
memory/4820-58-0x0000000000FB0000-0x0000000000FE2000-memory.dmpFilesize
200KB
-
memory/4820-56-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4820-53-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5040-186-0x0000000007060000-0x0000000007678000-memory.dmpFilesize
6.1MB
-
memory/5040-187-0x0000000006BB0000-0x0000000006CBA000-memory.dmpFilesize
1.0MB
-
memory/5040-164-0x0000000005660000-0x0000000005670000-memory.dmpFilesize
64KB
-
memory/5040-160-0x00000000053B0000-0x00000000053BA000-memory.dmpFilesize
40KB
-
memory/5040-190-0x0000000006CC0000-0x0000000006D0C000-memory.dmpFilesize
304KB
-
memory/5040-156-0x0000000000A80000-0x0000000000AD2000-memory.dmpFilesize
328KB
-
memory/5040-183-0x00000000068E0000-0x00000000068FE000-memory.dmpFilesize
120KB
-
memory/5040-189-0x0000000006B50000-0x0000000006B8C000-memory.dmpFilesize
240KB
-
memory/5040-188-0x0000000006AF0000-0x0000000006B02000-memory.dmpFilesize
72KB
-
memory/5040-158-0x00000000053E0000-0x0000000005472000-memory.dmpFilesize
584KB
-
memory/5040-155-0x0000000072E20000-0x00000000735D0000-memory.dmpFilesize
7.7MB
-
memory/5040-182-0x0000000006020000-0x0000000006096000-memory.dmpFilesize
472KB
-
memory/5040-157-0x00000000058F0000-0x0000000005E94000-memory.dmpFilesize
5.6MB
-
memory/5232-778-0x0000000000400000-0x0000000004058000-memory.dmpFilesize
60.3MB
-
memory/5448-863-0x0000000000400000-0x0000000004418000-memory.dmpFilesize
64.1MB
-
memory/5448-795-0x0000000000400000-0x0000000004418000-memory.dmpFilesize
64.1MB
-
memory/5448-580-0x0000000000400000-0x0000000004418000-memory.dmpFilesize
64.1MB
-
memory/5660-965-0x0000000069E00000-0x000000006B054000-memory.dmpFilesize
18.3MB
-
memory/5692-878-0x0000000000400000-0x0000000004416000-memory.dmpFilesize
64.1MB
-
memory/5692-954-0x0000000000400000-0x0000000004416000-memory.dmpFilesize
64.1MB
-
memory/5728-928-0x0000000000400000-0x0000000004418000-memory.dmpFilesize
64.1MB
-
memory/5808-845-0x0000000000400000-0x0000000004035000-memory.dmpFilesize
60.2MB
-
memory/6000-504-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB