Analysis
-
max time kernel
1246s -
max time network
1244s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29-05-2024 17:29
General
-
Target
MLClauncher.exe
-
Size
66KB
-
MD5
23e7e5af720dfc90b86294a8a7800c76
-
SHA1
e674bd73e3c9a496c9b5422f43874fcfc9f5510c
-
SHA256
1810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
-
SHA512
0bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
SSDEEP
1536:rttwy1I4PKiFM8tBb1L1JmX2npd6KnXOUVBCIu9BE:BBRPXb1L22pDXOUPCpBE
Malware Config
Extracted
xworm
127.0.0.1:2832
20.ip.gl.ply.gg:2832
financial-merchandise.gl.at.ply.gg:64299
<Xwormmm>:1
-
Install_directory
%Temp%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 5 IoCs
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
ModiLoader Second Stage 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Modifies registry class 20 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 59 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 57 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MLClauncher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\bahrwq.exe"C:\Users\Admin\AppData\Local\Temp\bahrwq.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bahrwq.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'bahrwq.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\system_2.0.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system_2.0.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system_2.0" /tr "C:\Users\Admin\AppData\Local\system_2.0.exe"3⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rt.pornohub.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff13c446f8,0x7fff13c44708,0x7fff13c447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\awtidx.exe"C:\Users\Admin\AppData\Local\Temp\awtidx.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\eymuur.exe"C:\Users\Admin\AppData\Local\Temp\eymuur.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\yrenvq.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "system_2.0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5A4B.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\wbykee.exe"C:\Users\Admin\AppData\Local\Temp\wbykee.exe"2⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqcoap.bat" "2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mcserv2847.github.io/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff13c446f8,0x7fff13c44708,0x7fff13c447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5580 /prefetch:23⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\smishno).txt1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4ED5C4BD\version.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4EDD496E\12⤵
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8012F0DE\.reloc2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO801E4EFE\.text2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MLClauncher.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54ae558d9a60b658bbaca0fea1f96e6ed
SHA1fc97b01845924cc27c43d658e6f068a1ef17bb31
SHA256f76c65d0fb316e5e0245e4a320a352e85cb97ec168e742e6f95bf7b70cc89a83
SHA512450f406c52a3088e59923fc717222891a7f257b5b5864b4811de23e8ab7b06f9155111662052d5c4a92884a71b6043805190af2e1d1b3572e8507b4ba5851f3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f345a055b63637a2070e5d80f4558d10
SHA1ca4d09a1090cf4abe52cbde996f0849113d0a82d
SHA256184d496618ca7cbc36a786ea6bd50eff2f4f7ba1fb18104540ec892665fc311e
SHA51213c8b5cd04aa8fe3ab7d8a85cf77b53e8a2b4f290d2011f4f5b6633bdc10c6c8c1b7ebbc5db49988786f6aa812e5eb95c7fa167d7342b99e04ec9285384cf270
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
334B
MD584aacb7c324413f557f298acc4d8ce80
SHA1c54df7429b92498bffef8d98db076b613f1b86c3
SHA2567aa6a4c84eae021d1f92bf00ce8b632da6790eb00fb2617f318e183324e46ef5
SHA5124873ffdf2061dae379345492f3a502e4a38bcfb594d5163943e98ea0f624becbeaeafb522bcf17fa91adb985117291dd8da2ed6a4048d68caad6de94c489f380
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
481B
MD581df2acddd34d388370f2ccb5be835d0
SHA11b843d2452449c5b928fdaf99db49e822ff60183
SHA256c75f0498654c064bf868eab4f853b4d32378f91ea86a6502c1a7bbe58250ba51
SHA5126a3265091ce7932267bc59ca154001ef0b3ca70f20bd7f652cd08152bfebf5df83b2dd0d975847ede36b6316c5719a966aa5df08bbe83913bd1a5a7a744a3cb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af24d63f57af4cca885cd144a73688ce
SHA1f00156055937c1e7e283b50b64d93614d8d14e4c
SHA2569b19bcff64e24e039e1f6bdb4f615e835bfa6833b734b83118be55e1ff48457d
SHA512d5f7616734a778f337cb2dbca51c6a4d908f6edd19236fb11c07127a93bf8bcc7f234a4048f1ac77880ebf8146e73581df2be7d16c17f46abd3062ba9f65abad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54ace2fc1925b64a7eeaefdd4a2bec185
SHA1c0c77864b6d8bda5d81c1ad4c0b793ab86c45712
SHA256ded181fc63041eb1eb523ba3a72a25ed87eda5e4abda7918c590ab48915bb23b
SHA512149a3902bef88df1b39f8f91b12618505093ced76dd77d3568b64e92c4a14ebbefdd171178b18a60dda0d29dbceb101307c6bc592ba607f9161370661a5ad548
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b4ef1aa45f55becb98ccc975e1c8c4bc
SHA1add0e7266be13b42bbfd60ca177d715f7f6cff35
SHA256a34c44aa8045d7cf0444325ae86a4d2527036d4f28a02a8c717e522f5392e3ac
SHA512ef4f69d83421cf1bb792090ce1fe3861745d6bc9e185ef9eeabd968fc7cb6ae5f9c0d7799d184f3f6de4b28cc4d72f3623f5847a85adb809be63f4ca737a8c97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57808cd08a6f3a79b3c2d632fb5d833bc
SHA133c38fd2d110f16567343d3265364d183770b933
SHA256c6d32a99b8f30de3af988d7c146a8fd216e0a728d825b9711518e08a51a3bbaa
SHA512eaff7eebb35a0ad4a1b84e1f4f029256decf2b629786e83f4638a40ac2c02ba24689d65d8cbc642ed3e70257ce1f81b1309feee7343ba1515400a16204d4fdfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD599b3a7acb3b7b684b457498a75963ac9
SHA154a36f61b227b93d8cc06996fedca9b7823a274a
SHA256c983451d9e2b5f3e0a32b984da5a3c9bf44d1cb180c788b9e11c20d94ccb0f0e
SHA512e67da2e48b33b30beb31c73eb0330ad2499df0d331dde80661cad6b4d51cacca8f75113496cd508b7984038be2c44e197ed6c365a4e1fd73e4a425dce39b78d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD585ef39dbb8081a851f4eb5bf072e4906
SHA19c834fd6eccea47f2bda6cc53d19c8dcebd5e2a4
SHA256323d87bf56139c0a5559052c16bf3e098c3503fd78597074b07f6775e1ad95cd
SHA512f0cd9cdf9f8caf2a1ba51411c7f92b59c20869226e9fc44ed37b2c01e3ddfb6057cd5144aedc5af170d732c4fe9a07744e6114585714f2441080e8768b17c4e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
322B
MD5dc0e9917bacefd0d9ab57a29f5cd5ff6
SHA103b0e53c76d5df32a06ef1afe195f25e12cef191
SHA256b77c748cf5fff6f8fff48facb96e0e840b99a0377cc244c3fd803908685fc3c8
SHA512cfa18b7a5fd5aefd16bd69a49f60513febbb808330485d9dcf0480db6f4a3d9bb2525d16d1150165bd48864c3688aa76a323b22381f1f0bc6529986746cfd550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13361478154737457Filesize
933B
MD5e5abd9a633579e2c501bbb8413fd4bf7
SHA1c718f03ffc6fe66f01e15b4604fe505d54f64218
SHA25654348574ffca1e1175281966516f540f2cb60376a08ce56cb525106c9025aa3a
SHA51283f5e1904794e949d87baaed117d0231ab4436ff60f5de6115491e0409d05892430e452b230ca938705e509c02a231a211f8cc4cabcd0257f54d8722911d5c0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5810e764263bad12bd0325efa825fa257
SHA188bbd5096e9d47cb716d65f9224f8b6f2e35d2f4
SHA256bbfc9e78201b96af567a5d780f09ec0f2cf318f5d6c8fddd25cb61c2f153b6b3
SHA5122bbff9696652c33f3932b78830836338319c26d0d3e3a48b01817b883d732b3c63979f9cb28b0bfac0b91f7e14b0feec0008b2dddc9b421d583c468886a1c40c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD5f89fda727134d8a08e27b6fae15d18e6
SHA138363be68d9b93002e053b8849b11675b4f690d2
SHA2568b27698d52e78afa943c9a2560f887ebd2eeb5b0fa2c426abe8dc15c47bf33bc
SHA512b4c64896f2d01f2e2d67fdc7c5cb83c2cae2aee5df12416cd25887e52ceb3577729bf52b57b85554e5118fa0b1fec522757988f0dfe3dda62759be1f8746af48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
372B
MD5d625c5791f2d7c1b553500e8d95b364e
SHA11de4831ee53fd3930efcbbf9ec57fbe8d932aa93
SHA2567c7d3bb0a0fff2c1951e138e728a4d7f98f91d12d1fd45bfebe131daac0f0e94
SHA51255124632a5c59d0e7400c9060c313537a55f124ec10816b96fa28dfbbefa4355f88b126d60db9ed44a81fdc364422d5cf56d528b2bd8989d5b64209f704785ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe662a43.TMPFilesize
372B
MD55c13869b7f4bfa476f3b686c40c7d86b
SHA179dffce0d011b3b7c1e909aaeb17927ce205bfd5
SHA256bebbef2cf9b5d8406cbf742d0a6dd1d43a241fd81047c95f69c0070a2f90a2a7
SHA512b8b2b7fa07bc26f42fcae81ce16457b2f2f2693f59d847c58b80092484dd3ddf9a66327606d84136c4c87fea8aeffb5a20e8bc6bf366c00c1f135c7c3c61858e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD51fda74b79c3535f27542e8c12f174078
SHA1c7d296adbd4d8dbcceccc705637bce8c28221ca4
SHA256e3b199a00f5ae41c8b8916fa246e71ae03e5e5533213527dec2f02af71364b68
SHA5126f653341a8e880f40f664a8025b3cf4a56aa99c47ce20c7987f352468faf3ada523586c35c41e7fbf39c177f729bfe3c9cb92ca64c6a53e292e2108ebbe6e522
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
594B
MD53fd219ba1603630bdff17a434f9f2f0b
SHA1a798f9defff59ef97501ed3dcb1916324fdac8a7
SHA25629f6ce364240a79e1ec870250462d66adc749e7ddddd2d54092e22e333792278
SHA51207952b691af4f5c422f589c45effdc30147fb450c5b01b4a214859aeadb6a9edf241f36378902efa588f4fc4203f8753de2265e606a2ecb29780248e66270a76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD5587c0f47ae90929bb99811df87e832bb
SHA13a2bb922dace9c1ba78c652bdf729d58c2b9117a
SHA2561e2d4b9ada39ca577b6578b6527633ed823300b12a2593c5b3c06dbb85f24951
SHA512748cd99c8c53570b40039b2c4d2a211fe6564815f93dffbd5869a4de495f8fa18024c969150597c30e482b758636e5573f81f8bf7bfdbbd5ce30e44ca36cfb36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD525201bad9843a6ada66469d01fabd781
SHA1942025294d610e2504585cfee62c6f052ffd9c05
SHA25687c6d2770c86cfd7a73917497162fb91087630ec20871a4951b05fc96344e855
SHA5122b7e5f0f9a22129327996739b85a285bf19f5f7d865aee7fcf44b04e4e58c568371c63772fad5dc6bca1c46da0e36d18cfb677bd5641a5fd2355d16d36788b20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD540c147040ed0a3a2ca5f8ccd94bec848
SHA12529a78e42e5370995b8056714e87ea50aa08993
SHA256ece2b7e3e00ae111a3284a376902742f31c5b51a1d31f81c3bcb33ac7754e684
SHA512d90660e10be815bf8e6987e2eafbe1558357e2d9e324ebfb69de945486260e6501eba282d36c656c6430cc06ec938dadf2dbda2c7a8aad4a2731907c24612407
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD565e4f01c24b55569d54d23b8efd0c8d5
SHA12c58f21418af8c0f1e118a7f3cf17d8448a8be64
SHA256c1e9cf9a0865152d180419cb3ebc77538bdbdc9d1e633eb71ad6871fbc4d4763
SHA512afaf0c200caba78650aee46bd62994c5becc073c22cb62404f783b257c78a72061e240b8678c38790b2cec1e41429161b13c6d92cc9817fe70e86abff5af2056
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD583685d101174171875b4a603a6c2a35c
SHA137be24f7c4525e17fa18dbd004186be3a9209017
SHA2560c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57d9ecfe610b58440e18d2bffe5167d71
SHA17afeed064042ef5e614228f678a0c595699c3d84
SHA2562c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632
SHA512017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56f3b96b24f06e2d37a46e43e8b784f56
SHA17be6702c5867f359e913eeeecdd5b76698589295
SHA2568e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720
SHA512d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD547605a4dda32c9dff09a9ca441417339
SHA14f68c895c35b0dc36257fc8251e70b968c560b62
SHA256e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885
-
C:\Users\Admin\AppData\Local\Temp\7zO4ED5C4BD\version.txtFilesize
1KB
MD54c5ede9ddf5c90d3b3dd9ff6a136d1be
SHA17635c76666ed69ec1aa2dfb44e17867c393dd123
SHA2568ba25de9b2670be9a304d0e052c3efac49e88a94b1360b30b88ba141dd6655ec
SHA51213cd035135fe9bd46987ef09e2a7a6d55359ef716f17eab56e9330d9d2f8482d7b68a224a77f542489418ad6cf6fe2f5e5cd8d1500292aa13ca2b54596ed0d64
-
C:\Users\Admin\AppData\Local\Temp\7zO4EDD496E\1Filesize
490B
MD5a19a2658ba69030c6ac9d11fd7d7e3c1
SHA1879dcf690e5bf1941b27cf13c8bcf72f8356c650
SHA256c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f
SHA512fa583ba012a80d44e599285eb6a013baf41ffbe72ee8561fc89af0ec5543003ba4165bfe7b1ba79252a1b3b6e5626bf52dc712eacd107c0b093a5a2757284d73
-
C:\Users\Admin\AppData\Local\Temp\7zO8012F0DE\.relocFilesize
512B
MD51deade56951cba0eb9b5db159416d0e9
SHA1c3dc2b227ac2ca4c67e6430a7c663f221d99c474
SHA256d4d6020cce7aaf4bfe89931092e9808590c58de4ac7c31c63b3013b86404bff4
SHA5125decca2b667cf5f87e2b147fbdeabb67649de524372168500b35e97cc1a9ea605e843840dc56a22952549279345fd9dd9c57c90d768c0036751b101d08f2d432
-
C:\Users\Admin\AppData\Local\Temp\7zO801E4EFE\.textFilesize
63KB
MD59ebfe80abf28382ce7eb8c0b383bd48d
SHA13e363375374931fc0dd42735ff79d4f5660af31a
SHA25611c71738af94d2784e26a3fa3621960c9a4ebff6bfc98fb8047730ab902a749f
SHA51254a1cdef38554f3c7899d6e445db9793f034e36462357586502537fe3ca6e08c0fb3be85258be55bfc1654ec4756af606a8f3b7c764321b84b1ee5e7893e8c76
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lq3dkt5a.l1y.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\awtidx.exeFilesize
206KB
MD5362b515ce8b6c1d0e355365a1ca706b7
SHA1340e2350c538ca4911315aee7abebe38d2e8edb8
SHA2564002b8f40aaa94cdcf0373abc1601ddd30a6f205c99e500a7e203ee8d3ed5325
SHA512f7f201eeee17d08ac8003f2561a9969fe359b4412baf3586e9839cd22fe4616b413e8fc940608672ac13d62036b0c4f4a3ffbc8c404f710d13919ffb86f67cc4
-
C:\Users\Admin\AppData\Local\Temp\bahrwq.exeFilesize
176KB
MD5bab5c4a5f667e3ee78612d22c7d2dc47
SHA1c63dcc1ac9f2c0deda96c455c82b15e933726307
SHA2561794fea06bcf0cf96f65059ea316b1e5ca86e1072077cfd1768f15cab5aeb56a
SHA5125f74c83e0e6a23cf0a7b22e39f8ce6a8c0757db98a72e97319cac90d65469f946bb4140919dba2c09af534fe7b7b406d0f13bc590b3e8c6ad1834e06b0c10a47
-
C:\Users\Admin\AppData\Local\Temp\eymuur.exeFilesize
248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD52b0b966b1be75d105fb7e1161cc39c02
SHA159f22e80633bd25ee7414dc1ef209806ce058724
SHA2568de6576d21b54de940db46879dac7bb406ec9fed05c7663a56860fa2a56527b2
SHA512ad54784fcb873b6843dcd95d06a1c7d9ea3e1e038acdb66a1213036930a9c965b2d2957489dc1f842a0a04f35a134a617a3930182615f6996a953d9fe702125d
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
66KB
MD523e7e5af720dfc90b86294a8a7800c76
SHA1e674bd73e3c9a496c9b5422f43874fcfc9f5510c
SHA2561810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
SHA5120bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
C:\Users\Admin\AppData\Local\Temp\tmp51B3.tmp.datFilesize
100KB
MD5d4993802b9cf3203200f899233c3e2fc
SHA1a632e8d796c8a0d1cf8cda55aa882b1a82b7318f
SHA256cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6
SHA5121910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd
-
C:\Users\Admin\AppData\Local\Temp\tmp51F8.tmp.datFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmp8596.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
C:\Users\Admin\AppData\Local\Temp\wbykee.exeFilesize
2.5MB
MD5971fc96da6226204766efbbe23dafa43
SHA1ba78587dc5f15ec6afbcb103d86e9ceb9e4d5281
SHA256e21716da385fcb1fca8a98136f9b683eb3dc53de4cd0e8ed08c051e74270fdde
SHA51234f976f97cb1634d1f880595d0b20ee4e4e1636a3d5d29c750d5d142fe39ab5e78de0239bdc75ce04d80c4efe3aad01de169afb22bab7914b551a88b98ba22c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnkFilesize
1KB
MD5daf7a1c73ebcfdc801f4b6e47c240b32
SHA1640dacad0b1bee946b3dcf5d51da9a0ca464c668
SHA2563bc39c7e4eb531d7cfeae8a8cde4e4a69efca0fa806492bfa108b30d090d5ac6
SHA512c75374d51df049c7ac18078fa91a60af60a27a33e557d7b10e31ed2caed9017503f2b9fe842d699266aa64d1b02f0044089639bc43d4593de22de65bc6309a7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system_2.0.lnkFilesize
979B
MD5c82bafe81cb48d1bcb0b62d3adbd69c7
SHA17768c96ff8b1d35e688ad659966a1f63147fa9b0
SHA2569a987b20b6f2f5144e6711ee7892911545215d9ef6423616b77562e5a200806f
SHA512fc0bedd7334ed87c67f2574d495da7358b78734794f76f015748748216fce8fad02b619a1a30acd0b311bb673edf3f4d30b19f0c121cefae65dad010d9b0229b
-
\??\pipe\LOCAL\crashpad_3016_XSMSNNNYJOTSCXCNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/432-674-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-790-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-961-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-932-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-720-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-700-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-997-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-889-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-540-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-851-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-770-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-743-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-1048-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-654-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-632-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-609-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-582-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-562-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-1074-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-425-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-444-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-466-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-491-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-510-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/1684-18-0x0000028CF5E80000-0x0000028CF5FEA000-memory.dmpFilesize
1.4MB
-
memory/1684-19-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/1684-3-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/1684-13-0x0000028CF5D50000-0x0000028CF5D72000-memory.dmpFilesize
136KB
-
memory/1684-14-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/1684-15-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/2504-79-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-71-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-73-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-78-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-72-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-80-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-83-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-82-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-81-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-77-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/3612-62-0x000000001AAB0000-0x000000001AAEA000-memory.dmpFilesize
232KB
-
memory/3612-315-0x000000001B700000-0x000000001B70C000-memory.dmpFilesize
48KB
-
memory/3612-390-0x000000001BF40000-0x000000001BFCE000-memory.dmpFilesize
568KB
-
memory/3612-1-0x00000000000A0000-0x00000000000B6000-memory.dmpFilesize
88KB
-
memory/3612-165-0x000000001B970000-0x000000001B97A000-memory.dmpFilesize
40KB
-
memory/3612-161-0x000000001EA50000-0x000000001EF78000-memory.dmpFilesize
5.2MB
-
memory/3612-2-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/3612-160-0x000000001B7C0000-0x000000001B870000-memory.dmpFilesize
704KB
-
memory/3612-276-0x000000001D130000-0x000000001D250000-memory.dmpFilesize
1.1MB
-
memory/3612-60-0x0000000002040000-0x000000000204C000-memory.dmpFilesize
48KB
-
memory/3612-59-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/3612-0-0x00007FFF197C3000-0x00007FFF197C5000-memory.dmpFilesize
8KB
-
memory/3612-58-0x00007FFF197C3000-0x00007FFF197C5000-memory.dmpFilesize
8KB
-
memory/3612-360-0x000000001B720000-0x000000001B72A000-memory.dmpFilesize
40KB
-
memory/3612-901-0x000000001B9B0000-0x000000001B9BA000-memory.dmpFilesize
40KB
-
memory/3612-89-0x000000001ABA0000-0x000000001ABAA000-memory.dmpFilesize
40KB
-
memory/3960-359-0x000000001D6E0000-0x000000001DA30000-memory.dmpFilesize
3.3MB
-
memory/3960-361-0x000000001C970000-0x000000001C9AA000-memory.dmpFilesize
232KB
-
memory/3960-317-0x000000001D5C0000-0x000000001D6DE000-memory.dmpFilesize
1.1MB
-
memory/3960-366-0x000000001C010000-0x000000001C01A000-memory.dmpFilesize
40KB
-
memory/3960-275-0x000000001C950000-0x000000001C95C000-memory.dmpFilesize
48KB
-
memory/3960-107-0x00000000007A0000-0x00000000007D2000-memory.dmpFilesize
200KB
-
memory/3960-367-0x000000001BFA0000-0x000000001BFB2000-memory.dmpFilesize
72KB
-
memory/3960-381-0x000000001BCC0000-0x000000001BCCA000-memory.dmpFilesize
40KB
-
memory/3960-389-0x000000001BF90000-0x000000001BF9A000-memory.dmpFilesize
40KB
-
memory/4488-557-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/4776-376-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/4776-377-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB