Analysis
-
max time kernel
69s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
06-06-2024 13:09
General
-
Target
KeePass-2.56-Setup.exe
-
Size
4.2MB
-
MD5
86a0d58d2ae89c639d940dbda48308df
-
SHA1
1280f427d149a8c5ca797a9ea29e711a3fa2b5ef
-
SHA256
92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef
-
SHA512
9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a
-
SSDEEP
98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 9 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-TFRNG.tmp\KeePass-2.56-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TFRNG.tmp\KeePass-2.56-Setup.tmp" /SL5="$B0066,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check3⤵
- Executes dropped EXE
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2bc -Pipe 260 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 27c -Pipe 2c4 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://keepass.info/plugins.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8a0546f8,0x7ffd8a054708,0x7ffd8a0547184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllFilesize
448KB
MD589e19d93a58fac5db151666e4babd019
SHA118295f15fa79fe345aa81c894f88c9a0b9e5fffe
SHA2560a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0
SHA5129c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0
-
C:\Program Files\KeePass Password Safe 2\KeePass.config.xmlFilesize
252B
MD5ac0f1e104f82d295c27646bfff39fecc
SHA134309b00045503fce52adf638ec8be5f32cb6b1d
SHA256c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440
SHA512be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839
-
C:\Program Files\KeePass Password Safe 2\KeePass.exeFilesize
3.1MB
MD5b4250862f4d1f151d2edc123ab2c8a77
SHA1ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa
SHA25609d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a
SHA512e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe.configFilesize
763B
MD5ff0c23b97df708cca2030a96c914c3a9
SHA18523b7b505f770e5f6ad6561e16a4ecdf2f28ab5
SHA2563348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e
SHA51233af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exeFilesize
94KB
MD5f5d989c6a6afc473b8c5e2c4cf1586a5
SHA14607715357d9b869511e50073f75f7f65aea3e0e
SHA256783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b
SHA512fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e
-
C:\Program Files\KeePass Password Safe 2\unins000.exeFilesize
3.0MB
MD5a96ef5a2191bcf92dd9cc0a62522c69f
SHA1c7f2d102b5fb3883a0906b876fe5c8370d82d0c4
SHA2563b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028
SHA5120d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58afa4debfd32a854e8f634bf4bd0bf0e
SHA1062db43f8bf81cb1c894b21b02ca95f547b9aae4
SHA256fa751b79361708fcda659ff24acfad083be655d2ec689362eb613a5f70871029
SHA5128a34c6eb298b8e4be31d632db22861f15c35d9afece1a8882bc65e8ef1de6d22f153775fedcc9908917127e5f706615ce105c710f9562cb9711371b5035e0f1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51a6ac72df186dd1579133883679d00ae
SHA149046e9f2e763b6c4f20d4487252cdd442449045
SHA256f56c63bb0b0874506ab188be1a32ea0055636726431659d172a93f200ac57f22
SHA512244a15831fa08ec796ad24cf37e5678e70f23076f15dcc6685a968968e2a165033e5ffcfa56719d96a55d9e71ca98845ecc518f88ed6352b169d1bf48ed3d746
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD54c73d23474eae4051f70eefcee7d696f
SHA1c7c9f2d2d58d9d9283bd54a32864e9ebfc4716d8
SHA25693c33243c5db9ac15c48514c60e8ddf16290eed33ec0e59bbbd90d28e05b70a2
SHA512364b2b3188c6427981b531aeabcabf3c43762c25849149cef0256e9ac8fa4c045fe98f87f58def2587f7478c5d263b68694088e1279a95c4065331f333cdd65f
-
C:\Users\Admin\AppData\Local\Temp\is-TFRNG.tmp\KeePass-2.56-Setup.tmpFilesize
3.0MB
MD5354613dd35e43746f934c0e9d7b2543c
SHA18b7d3e5306279753e025279455a7d97e1c55cfe4
SHA256c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6
SHA512b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\30f6c60da79eb8872c9c335ce775ac8e\KeePass.ni.exeFilesize
11.4MB
MD53282a854ee1f2738d4f0bb582a100d00
SHA16ef44376f8ee8d2f19fd2415601430c72e8dfadc
SHA2560be1b43348ba24fa57955ea17afb8c8d210740966abededd632fd00d98e2bf79
SHA512dcf65f53f9494e0228dc3b907857a2a3d4afffbcac5aa26a388cbaa546b70277e45dbfda48c2642903b764bdce2a200452d1972810e6b8e70043b62ba3c8a911
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\30f6c60da79eb8872c9c335ce775ac8e\KeePass.ni.exe.auxFilesize
1KB
MD57da5b0fea9ff82c5f38332290b66665c
SHA1dae2049e86b35d9d84daf2f25140cebb49b965f1
SHA2562fb034e6ee9c6bbdcfbe6469fbd56f8d2ebdaa5be72558f9f8344e40275eabfc
SHA512b55453046d6a4e474002f6b61e933f6e12a9a686494a5cd8b82cbe4d419bbb69904d3d0688fc7df1cd3072419d6733d07ed50770064a967d4e89ca06ac485517
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dllFilesize
3.0MB
MD5b0bd1b2c367441f420d9cc270cf7fab6
SHA1bdd65767f9c8047125a86b66b5678d8d72a76911
SHA256447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa
SHA512551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5688ac15ac387cbac93d705be85b08492
SHA1a4fabce08bbe0fee991a8a1a8e8e62230f360ff2
SHA256ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470
SHA512a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dllFilesize
3.0MB
MD53385fdacfda1fc77da651550a705936d
SHA1207023bf3b3ff2c93e9368ba018d32bb11e47a8a
SHA25644a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec
SHA512bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dllFilesize
314KB
MD550b28be2b84f9dd1258a346525f8c2e5
SHA1203abebaa5c22c9f6ac099d020711669e6655ed8
SHA2566c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac
SHA512d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
345KB
MD535738b026183e92c1f7a6344cfa189fd
SHA1ccc1510ef4a88a010087321b8af89f0c0c29b6d8
SHA2564075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb
SHA512ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dllFilesize
986KB
MD5e4b53e736786edcfbfc70f87c5ef4aad
SHA162cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5
SHA2569ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46
SHA51242a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.auxFilesize
912B
MD5255a843ca54e88fd16d2befcc1bafb7a
SHA1aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9
SHA2568cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed
SHA512666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45
-
\??\pipe\LOCAL\crashpad_1624_WCASNPYJOIOSLWNGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1108-166-0x0000000000760000-0x0000000000A88000-memory.dmpFilesize
3.2MB
-
memory/1108-201-0x0000000020430000-0x000000002049E000-memory.dmpFilesize
440KB
-
memory/1592-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1592-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/1592-8-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2480-133-0x0000064449980000-0x00000644499D8000-memory.dmpFilesize
352KB
-
memory/2776-85-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/3484-62-0x00000230D2370000-0x00000230D23C0000-memory.dmpFilesize
320KB
-
memory/3484-60-0x00000230D26A0000-0x00000230D29C8000-memory.dmpFilesize
3.2MB
-
memory/3484-66-0x00000230BA320000-0x00000230BA342000-memory.dmpFilesize
136KB
-
memory/3484-65-0x00000230D2480000-0x00000230D2532000-memory.dmpFilesize
712KB
-
memory/3484-64-0x00000230B85C0000-0x00000230B85E2000-memory.dmpFilesize
136KB
-
memory/3484-63-0x00000230D3A80000-0x00000230D3C06000-memory.dmpFilesize
1.5MB
-
memory/3524-118-0x0000064445320000-0x000006444561E000-memory.dmpFilesize
3.0MB
-
memory/4348-100-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/4656-67-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB
-
memory/4720-149-0x0000064488000000-0x0000064488B64000-memory.dmpFilesize
11.4MB
-
memory/5004-179-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5004-15-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5004-9-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5004-6-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB