Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-10-2023 04:52

General

  • Target

    914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe

  • Size

    240KB

  • MD5

    b4b15aef4d2769d9e337702ce7aa7567

  • SHA1

    e86f505fb4ccbd77cabdc6287b3a4fe0de1b526c

  • SHA256

    914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40

  • SHA512

    30bd7de40cad2620b5883bcbc8c7b7b06787271b941c759ad3581b4b4b83c267bff074a93a76d39d2c45e0598bd7496d52af63d2e81d2449593a105c4a7ee80d

  • SSDEEP

    3072:e8MOh+yFRASFi4K+U8Rh68InevzpZ0zvX5DQh1Dk:etkSSvTnRhWnAzpoVQh

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://wirtshauspost.at/tmp/

http://msktk.ru/tmp/

http://soetegem.com/tmp/

http://gromograd.ru/tmp/

http://talesofpirates.net/tmp/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/raud/get.php

Attributes
  • extension

    .pthh

  • offline_id

    43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

146.59.161.13:39199

Extracted

Family

amadey

Version

3.87

C2

http://79.137.192.18/9bDc8sQ/index.php

Attributes
  • install_dir

    577f58beff

  • install_file

    yiueea.exe

  • strings_key

    a5085075a537f09dec81cc154ec0af4d

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

6

Botnet

d37c48c18c73cc0e155c7e1dfde06db9

C2

https://steamcommunity.com/profiles/76561199560322242

https://t.me/cahalgo

Attributes
  • profile_id_v2

    d37c48c18c73cc0e155c7e1dfde06db9

  • user_agent

    Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 uacq

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detected Djvu ransomware 18 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Windows security bypass 2 TTPs 7 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe
    "C:\Users\Admin\AppData\Local\Temp\914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4352
  • C:\Users\Admin\AppData\Local\Temp\3A06.exe
    C:\Users\Admin\AppData\Local\Temp\3A06.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\3A06.exe
      C:\Users\Admin\AppData\Local\Temp\3A06.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\8dac5d02-1360-435e-89af-f1f7f01bb4a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2008
      • C:\Users\Admin\AppData\Local\Temp\3A06.exe
        "C:\Users\Admin\AppData\Local\Temp\3A06.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
          PID:4340
          • C:\Users\Admin\AppData\Local\Temp\3A06.exe
            "C:\Users\Admin\AppData\Local\Temp\3A06.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:4184
            • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe
              "C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2460
              • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe
                "C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:4924
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1716
                  7⤵
                  • Program crash
                  PID:1936
            • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe
              "C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe"
              5⤵
              • Executes dropped EXE
              PID:5064
              • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe
                "C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe"
                6⤵
                • Executes dropped EXE
                PID:2856
                • C:\Windows\SysWOW64\schtasks.exe
                  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  7⤵
                  • Creates scheduled task(s)
                  PID:3872
    • C:\Users\Admin\AppData\Local\Temp\3B11.exe
      C:\Users\Admin\AppData\Local\Temp\3B11.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:2876
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          2⤵
            PID:2784
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:916
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 140
            2⤵
            • Program crash
            PID:4592
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\3DC2.dll
          1⤵
          • Loads dropped DLL
          PID:1172
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3DC2.dll
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3936
        • C:\Users\Admin\AppData\Local\Temp\4D24.exe
          C:\Users\Admin\AppData\Local\Temp\4D24.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
            "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3392
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
              3⤵
              • Creates scheduled task(s)
              PID:4304
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
              3⤵
                PID:4300
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  4⤵
                    PID:4048
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "yiueea.exe" /P "Admin:N"
                    4⤵
                      PID:928
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "yiueea.exe" /P "Admin:R" /E
                      4⤵
                        PID:2424
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        4⤵
                          PID:1076
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\577f58beff" /P "Admin:N"
                          4⤵
                            PID:5112
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\577f58beff" /P "Admin:R" /E
                            4⤵
                              PID:4080
                      • C:\Users\Admin\AppData\Local\Temp\54D6.exe
                        C:\Users\Admin\AppData\Local\Temp\54D6.exe
                        1⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:2060
                      • C:\Users\Admin\AppData\Local\Temp\6D7F.exe
                        C:\Users\Admin\AppData\Local\Temp\6D7F.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4652
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4340
                        • C:\Users\Admin\AppData\Local\Temp\6D7F.exe
                          "C:\Users\Admin\AppData\Local\Temp\6D7F.exe"
                          2⤵
                          • Windows security bypass
                          • Executes dropped EXE
                          • Windows security modification
                          • Adds Run key to start application
                          • Checks for VirtualBox DLLs, possible anti-VM trick
                          • Drops file in Windows directory
                          • Modifies data under HKEY_USERS
                          PID:2100
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -nologo -noprofile
                            3⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3940
                          • C:\Windows\System32\cmd.exe
                            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                            3⤵
                              PID:3200
                              • C:\Windows\system32\netsh.exe
                                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                4⤵
                                • Modifies Windows Firewall
                                PID:4904
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              3⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4972
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              3⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4356
                              • C:\Windows\System32\Conhost.exe
                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                4⤵
                                  PID:4904
                              • C:\Windows\rss\csrss.exe
                                C:\Windows\rss\csrss.exe
                                3⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Manipulates WinMonFS driver.
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4940
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  4⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1448
                                • C:\Windows\SYSTEM32\schtasks.exe
                                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                  4⤵
                                  • Creates scheduled task(s)
                                  PID:1216
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  4⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4920
                                • C:\Windows\SYSTEM32\schtasks.exe
                                  schtasks /delete /tn ScheduledUpdate /f
                                  4⤵
                                    PID:4952
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -nologo -noprofile
                                    4⤵
                                    • Drops file in System32 directory
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1372
                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                    4⤵
                                    • Executes dropped EXE
                                    PID:4928
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:96
                                  • C:\Windows\windefender.exe
                                    "C:\Windows\windefender.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    PID:4664
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                      5⤵
                                        PID:4372
                                        • C:\Windows\SysWOW64\sc.exe
                                          sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                          6⤵
                                          • Launches sc.exe
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4668
                                    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
                                      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
                                      4⤵
                                      • Executes dropped EXE
                                      PID:3284
                                      • C:\Windows\SYSTEM32\schtasks.exe
                                        schtasks /delete /tn "csrss" /f
                                        5⤵
                                          PID:1452
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          schtasks /delete /tn "ScheduledUpdate" /f
                                          5⤵
                                            PID:1852
                                  • C:\Windows\SysWOW64\explorer.exe
                                    C:\Windows\SysWOW64\explorer.exe
                                    1⤵
                                    • Accesses Microsoft Outlook profiles
                                    • outlook_office_path
                                    • outlook_win_path
                                    PID:2648
                                  • C:\Windows\explorer.exe
                                    C:\Windows\explorer.exe
                                    1⤵
                                      PID:4368
                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:3936
                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:4204
                                    • C:\Users\Admin\AppData\Roaming\btheefe
                                      C:\Users\Admin\AppData\Roaming\btheefe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Checks SCSI registry key(s)
                                      • Suspicious behavior: MapViewOfSection
                                      PID:5064
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:3876
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        2⤵
                                        • Executes dropped EXE
                                        PID:4212
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                          3⤵
                                          • Creates scheduled task(s)
                                          PID:2272
                                    • C:\Users\Admin\AppData\Roaming\evheefe
                                      C:\Users\Admin\AppData\Roaming\evheefe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:388
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 480
                                        2⤵
                                        • Program crash
                                        PID:2228
                                    • C:\Windows\windefender.exe
                                      C:\Windows\windefender.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Modifies data under HKEY_USERS
                                      PID:4840
                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:3428
                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:5004
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:3504

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                      Filesize

                                      1KB

                                      MD5

                                      aab2c0ac341d244950bd1fc232f6cd54

                                      SHA1

                                      024cc43041e8f4e0a113e1c5eafa28dc7afe778d

                                      SHA256

                                      a9fc1e5ea4a6d391f361aafe110970589f2d25665e456f43c9f16fa0c716bddd

                                      SHA512

                                      8bd7c9d0a827e0444cff4201ccac65a024c8147300c5cdad85a32f409d25b4b37e6ba85598fbb3c1b87a731c260091d7ad2dedc3e062cc159cdb16e7022537d7

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

                                      Filesize

                                      724B

                                      MD5

                                      8202a1cd02e7d69597995cabbe881a12

                                      SHA1

                                      8858d9d934b7aa9330ee73de6c476acf19929ff6

                                      SHA256

                                      58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

                                      SHA512

                                      97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                      Filesize

                                      410B

                                      MD5

                                      587aed5bc722db92eb61cd08e357ee37

                                      SHA1

                                      bc8878a259c924b71b845bbbcfc095b0931f4670

                                      SHA256

                                      774d6fb2277b4de2bb9bf64984da7ac654ca1075818379e701071e5e3dcd172e

                                      SHA512

                                      d4a941a5065ddc3fcbe2dbf9ef2f681067cdfd42cb5f39faf4551bbfbd7739739b243d9ee3a98097ec5765a722fb75d7c8840f1163ac97700f325d16c618724f

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

                                      Filesize

                                      392B

                                      MD5

                                      09013db70f481bfe7da25206295984ec

                                      SHA1

                                      ce861a5e92d80e3dbd6fdfcac431240190bb2c2a

                                      SHA256

                                      636ac1118e341a8b39b069942b505ec58cab58142b641a909f682e8b9e9f15c7

                                      SHA512

                                      87e375e8c03647fe8da732dbec6968441841fdb565ade4f78987d27909ad5781471e618f929347c356fad94754d23a5f6c7ad2a45ac8347c7773fd90436690ba

                                    • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe

                                      Filesize

                                      404KB

                                      MD5

                                      22f2fd94f57b71f36a31ea18be7d4b34

                                      SHA1

                                      a8dc0a1af7978fea291f5306f1937a90ac9b6b5b

                                      SHA256

                                      bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454

                                      SHA512

                                      5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

                                    • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe

                                      Filesize

                                      404KB

                                      MD5

                                      22f2fd94f57b71f36a31ea18be7d4b34

                                      SHA1

                                      a8dc0a1af7978fea291f5306f1937a90ac9b6b5b

                                      SHA256

                                      bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454

                                      SHA512

                                      5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

                                    • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build2.exe

                                      Filesize

                                      404KB

                                      MD5

                                      22f2fd94f57b71f36a31ea18be7d4b34

                                      SHA1

                                      a8dc0a1af7978fea291f5306f1937a90ac9b6b5b

                                      SHA256

                                      bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454

                                      SHA512

                                      5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

                                    • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Local\73c85e65-09eb-4b35-a08f-56f24447fcae\build3.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Local\8dac5d02-1360-435e-89af-f1f7f01bb4a9\3A06.exe

                                      Filesize

                                      715KB

                                      MD5

                                      b2c45459a0713d87615afcd993544e4f

                                      SHA1

                                      3d6065263779f06698a7c031da4d13e1ce46cfe0

                                      SHA256

                                      5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120

                                      SHA512

                                      ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

                                    • C:\Users\Admin\AppData\Local\Temp\3A06.exe

                                      Filesize

                                      715KB

                                      MD5

                                      b2c45459a0713d87615afcd993544e4f

                                      SHA1

                                      3d6065263779f06698a7c031da4d13e1ce46cfe0

                                      SHA256

                                      5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120

                                      SHA512

                                      ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

                                    • C:\Users\Admin\AppData\Local\Temp\3A06.exe

                                      Filesize

                                      715KB

                                      MD5

                                      b2c45459a0713d87615afcd993544e4f

                                      SHA1

                                      3d6065263779f06698a7c031da4d13e1ce46cfe0

                                      SHA256

                                      5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120

                                      SHA512

                                      ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

                                    • C:\Users\Admin\AppData\Local\Temp\3A06.exe

                                      Filesize

                                      715KB

                                      MD5

                                      b2c45459a0713d87615afcd993544e4f

                                      SHA1

                                      3d6065263779f06698a7c031da4d13e1ce46cfe0

                                      SHA256

                                      5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120

                                      SHA512

                                      ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

                                    • C:\Users\Admin\AppData\Local\Temp\3A06.exe

                                      Filesize

                                      715KB

                                      MD5

                                      b2c45459a0713d87615afcd993544e4f

                                      SHA1

                                      3d6065263779f06698a7c031da4d13e1ce46cfe0

                                      SHA256

                                      5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120

                                      SHA512

                                      ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

                                    • C:\Users\Admin\AppData\Local\Temp\3A06.exe

                                      Filesize

                                      715KB

                                      MD5

                                      b2c45459a0713d87615afcd993544e4f

                                      SHA1

                                      3d6065263779f06698a7c031da4d13e1ce46cfe0

                                      SHA256

                                      5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120

                                      SHA512

                                      ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

                                    • C:\Users\Admin\AppData\Local\Temp\3B11.exe

                                      Filesize

                                      337KB

                                      MD5

                                      23aca9b594e0ec61e744a486c34ed0ef

                                      SHA1

                                      44d7b53c310732634fbf48c2f313505cdb62c6a8

                                      SHA256

                                      59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61

                                      SHA512

                                      dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

                                    • C:\Users\Admin\AppData\Local\Temp\3B11.exe

                                      Filesize

                                      337KB

                                      MD5

                                      23aca9b594e0ec61e744a486c34ed0ef

                                      SHA1

                                      44d7b53c310732634fbf48c2f313505cdb62c6a8

                                      SHA256

                                      59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61

                                      SHA512

                                      dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

                                    • C:\Users\Admin\AppData\Local\Temp\3DC2.dll

                                      Filesize

                                      1.9MB

                                      MD5

                                      fe7facf5c1db2d17313299c58c6e1ca2

                                      SHA1

                                      4dc53db5c9c8ac085f329dec8be5d325a1b46ac5

                                      SHA256

                                      3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b

                                      SHA512

                                      1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

                                    • C:\Users\Admin\AppData\Local\Temp\4D24.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\4D24.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\54D6.exe

                                      Filesize

                                      261KB

                                      MD5

                                      df7a50c002e636cf21e25eaa5d53e00d

                                      SHA1

                                      8cc44f318e30860c1c03cdf03560d5e2df171904

                                      SHA256

                                      1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c

                                      SHA512

                                      25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

                                    • C:\Users\Admin\AppData\Local\Temp\54D6.exe

                                      Filesize

                                      261KB

                                      MD5

                                      df7a50c002e636cf21e25eaa5d53e00d

                                      SHA1

                                      8cc44f318e30860c1c03cdf03560d5e2df171904

                                      SHA256

                                      1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c

                                      SHA512

                                      25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

                                      Filesize

                                      307KB

                                      MD5

                                      55f845c433e637594aaf872e41fda207

                                      SHA1

                                      1188348ca7e52f075e7d1d0031918c2cea93362e

                                      SHA256

                                      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

                                      SHA512

                                      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

                                    • C:\Users\Admin\AppData\Local\Temp\6D7F.exe

                                      Filesize

                                      4.1MB

                                      MD5

                                      f0118fdfcadf8262c58b3638c0edc6a9

                                      SHA1

                                      a10b96bfc56711c9d605a0b61cca01b4ba6b6658

                                      SHA256

                                      8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205

                                      SHA512

                                      99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

                                    • C:\Users\Admin\AppData\Local\Temp\6D7F.exe

                                      Filesize

                                      4.1MB

                                      MD5

                                      f0118fdfcadf8262c58b3638c0edc6a9

                                      SHA1

                                      a10b96bfc56711c9d605a0b61cca01b4ba6b6658

                                      SHA256

                                      8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205

                                      SHA512

                                      99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

                                    • C:\Users\Admin\AppData\Local\Temp\6D7F.exe

                                      Filesize

                                      4.1MB

                                      MD5

                                      f0118fdfcadf8262c58b3638c0edc6a9

                                      SHA1

                                      a10b96bfc56711c9d605a0b61cca01b4ba6b6658

                                      SHA256

                                      8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205

                                      SHA512

                                      99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmn1id03.iep.ps1

                                      Filesize

                                      1B

                                      MD5

                                      c4ca4238a0b923820dcc509a6f75849b

                                      SHA1

                                      356a192b7913b04c54574d18c28d46e6395428ab

                                      SHA256

                                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                      SHA512

                                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

                                      Filesize

                                      3.2MB

                                      MD5

                                      f801950a962ddba14caaa44bf084b55c

                                      SHA1

                                      7cadc9076121297428442785536ba0df2d4ae996

                                      SHA256

                                      c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

                                      SHA512

                                      4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

                                      Filesize

                                      3.2MB

                                      MD5

                                      f801950a962ddba14caaa44bf084b55c

                                      SHA1

                                      7cadc9076121297428442785536ba0df2d4ae996

                                      SHA256

                                      c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

                                      SHA512

                                      4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

                                      Filesize

                                      99KB

                                      MD5

                                      09031a062610d77d685c9934318b4170

                                      SHA1

                                      880f744184e7774f3d14c1bb857e21cc7fe89a6d

                                      SHA256

                                      778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

                                      SHA512

                                      9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                      Filesize

                                      281KB

                                      MD5

                                      d98e33b66343e7c96158444127a117f6

                                      SHA1

                                      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                      SHA256

                                      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                      SHA512

                                      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                      Filesize

                                      281KB

                                      MD5

                                      d98e33b66343e7c96158444127a117f6

                                      SHA1

                                      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                      SHA256

                                      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                      SHA512

                                      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                                      Filesize

                                      299KB

                                      MD5

                                      41b883a061c95e9b9cb17d4ca50de770

                                      SHA1

                                      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                      SHA256

                                      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                      SHA512

                                      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                    • C:\Users\Admin\AppData\Roaming\btheefe

                                      Filesize

                                      240KB

                                      MD5

                                      b4b15aef4d2769d9e337702ce7aa7567

                                      SHA1

                                      e86f505fb4ccbd77cabdc6287b3a4fe0de1b526c

                                      SHA256

                                      914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40

                                      SHA512

                                      30bd7de40cad2620b5883bcbc8c7b7b06787271b941c759ad3581b4b4b83c267bff074a93a76d39d2c45e0598bd7496d52af63d2e81d2449593a105c4a7ee80d

                                    • C:\Users\Admin\AppData\Roaming\btheefe

                                      Filesize

                                      240KB

                                      MD5

                                      b4b15aef4d2769d9e337702ce7aa7567

                                      SHA1

                                      e86f505fb4ccbd77cabdc6287b3a4fe0de1b526c

                                      SHA256

                                      914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40

                                      SHA512

                                      30bd7de40cad2620b5883bcbc8c7b7b06787271b941c759ad3581b4b4b83c267bff074a93a76d39d2c45e0598bd7496d52af63d2e81d2449593a105c4a7ee80d

                                    • C:\Users\Admin\AppData\Roaming\evheefe

                                      Filesize

                                      261KB

                                      MD5

                                      df7a50c002e636cf21e25eaa5d53e00d

                                      SHA1

                                      8cc44f318e30860c1c03cdf03560d5e2df171904

                                      SHA256

                                      1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c

                                      SHA512

                                      25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

                                    • C:\Users\Admin\AppData\Roaming\evheefe

                                      Filesize

                                      261KB

                                      MD5

                                      df7a50c002e636cf21e25eaa5d53e00d

                                      SHA1

                                      8cc44f318e30860c1c03cdf03560d5e2df171904

                                      SHA256

                                      1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c

                                      SHA512

                                      25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

                                    • C:\Users\Admin\AppData\Roaming\evheefe

                                      Filesize

                                      261KB

                                      MD5

                                      df7a50c002e636cf21e25eaa5d53e00d

                                      SHA1

                                      8cc44f318e30860c1c03cdf03560d5e2df171904

                                      SHA256

                                      1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c

                                      SHA512

                                      25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                      Filesize

                                      2KB

                                      MD5

                                      1c19c16e21c97ed42d5beabc93391fc5

                                      SHA1

                                      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

                                      SHA256

                                      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

                                      SHA512

                                      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                      Filesize

                                      18KB

                                      MD5

                                      3a2e3e86d1dab44facbd6dc1b010655e

                                      SHA1

                                      08c11919faddcc165701983800bfd92fd92d02a8

                                      SHA256

                                      3a06b5cf99a554645520394af2bce3a3755d1fc5f2c0b7e72f4e7010dc3864a0

                                      SHA512

                                      f2fade8fb3723a30ec9f0addf340b94d589238d4805443512be5a0cbcfadfa76be57c047a213c084e7dd417ba894602688b19eacd7c41ad43abb23d0b9b9a633

                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                      Filesize

                                      18KB

                                      MD5

                                      e98ef944526290138bff2f425a3aeb24

                                      SHA1

                                      d859c86651b2b3263ad3ba218db33925be2f3e20

                                      SHA256

                                      ca564d0ace6e809b79cc86e00e3d5c7da5356f01b269625d7ca73ba19ed288e8

                                      SHA512

                                      e21a945ae2b5c635f53437170e59fc3367d8e7f4f8b99de38eb91a6cc0e63e301d84b31a368034c9577210bca7240533de11594253e04ece564529db96f8e743

                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                      Filesize

                                      18KB

                                      MD5

                                      050cd3128fb974b4614e06654738b2a8

                                      SHA1

                                      708beb1a748fe20a3068a64d34f19652724e61a2

                                      SHA256

                                      180bbc38abf4eb582e9df650346396a23d00a917b96e1a8e2e7bcccd84917fb1

                                      SHA512

                                      8e70cb0f9b97673405d2273f5071fdac42375ed3a815fab304d804bba91971617c0556bbf56cb7e0105b6a753f62d0357cf14da303f0e75bd6393b0d7003d107

                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                      Filesize

                                      18KB

                                      MD5

                                      9f1ab4e3c6725298792dcd859d7c1172

                                      SHA1

                                      6b0a34abecf084e4f68fe1e2e38c2d9ac7d476f2

                                      SHA256

                                      c7b00b7f9c67ec434f1d3767fa74ea3663abc6808acc0b2cb0026aa535fb6075

                                      SHA512

                                      45989816b2d3fa270eee4aec184e32d2950118412048e89c4fb5c5918df0f718e00d98a8e4a35f8a02b88093b2856627c1915effdf83c0c414d7942b06610860

                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                      Filesize

                                      18KB

                                      MD5

                                      d7411a62957991d0016029465a95b2c0

                                      SHA1

                                      7b78dfffecd8cb794bcdcb40ae2eaef571b34e9d

                                      SHA256

                                      a42174debe7b719fd6544abb734c298cf354f8c4f21790e23f6c56dc1a29a17e

                                      SHA512

                                      5ebdb8a217407f862fb0ba45d7b5f3cc902a14bfd77967720a9152b3a2d2e242a08c7409053153af14eebab9afc25acc678a401a9545fd6e5113f98f82c1c8f3

                                    • C:\Windows\rss\csrss.exe

                                      Filesize

                                      4.1MB

                                      MD5

                                      f0118fdfcadf8262c58b3638c0edc6a9

                                      SHA1

                                      a10b96bfc56711c9d605a0b61cca01b4ba6b6658

                                      SHA256

                                      8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205

                                      SHA512

                                      99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

                                    • C:\Windows\rss\csrss.exe

                                      Filesize

                                      4.1MB

                                      MD5

                                      f0118fdfcadf8262c58b3638c0edc6a9

                                      SHA1

                                      a10b96bfc56711c9d605a0b61cca01b4ba6b6658

                                      SHA256

                                      8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205

                                      SHA512

                                      99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

                                    • C:\Windows\windefender.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      8e67f58837092385dcf01e8a2b4f5783

                                      SHA1

                                      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                      SHA256

                                      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                      SHA512

                                      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                    • C:\Windows\windefender.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      8e67f58837092385dcf01e8a2b4f5783

                                      SHA1

                                      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                      SHA256

                                      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                      SHA512

                                      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                    • C:\Windows\windefender.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      8e67f58837092385dcf01e8a2b4f5783

                                      SHA1

                                      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                      SHA256

                                      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                      SHA512

                                      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                    • \ProgramData\mozglue.dll

                                      Filesize

                                      593KB

                                      MD5

                                      c8fd9be83bc728cc04beffafc2907fe9

                                      SHA1

                                      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                      SHA256

                                      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                      SHA512

                                      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                    • \ProgramData\nss3.dll

                                      Filesize

                                      2.0MB

                                      MD5

                                      1cc453cdf74f31e4d913ff9c10acdde2

                                      SHA1

                                      6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                      SHA256

                                      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                      SHA512

                                      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                    • \Users\Admin\AppData\Local\Temp\3DC2.dll

                                      Filesize

                                      1.9MB

                                      MD5

                                      fe7facf5c1db2d17313299c58c6e1ca2

                                      SHA1

                                      4dc53db5c9c8ac085f329dec8be5d325a1b46ac5

                                      SHA256

                                      3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b

                                      SHA512

                                      1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

                                    • memory/916-52-0x0000000072D30000-0x000000007341E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/916-47-0x0000000000400000-0x000000000043E000-memory.dmp

                                      Filesize

                                      248KB

                                    • memory/916-232-0x000000000E090000-0x000000000E252000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/916-115-0x000000000BAA0000-0x000000000BAB0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/916-235-0x000000000E790000-0x000000000ECBC000-memory.dmp

                                      Filesize

                                      5.2MB

                                    • memory/916-428-0x000000000A5D0000-0x000000000A620000-memory.dmp

                                      Filesize

                                      320KB

                                    • memory/916-151-0x000000000C2B0000-0x000000000C316000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/916-111-0x0000000072D30000-0x000000007341E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/916-95-0x000000000BAB0000-0x000000000BAFB000-memory.dmp

                                      Filesize

                                      300KB

                                    • memory/916-90-0x000000000BA50000-0x000000000BA8E000-memory.dmp

                                      Filesize

                                      248KB

                                    • memory/916-85-0x000000000B9F0000-0x000000000BA02000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/916-84-0x000000000C1A0000-0x000000000C2AA000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/916-53-0x000000000BCA0000-0x000000000C19E000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/916-83-0x000000000C7B0000-0x000000000CDB6000-memory.dmp

                                      Filesize

                                      6.0MB

                                    • memory/916-54-0x000000000B840000-0x000000000B8D2000-memory.dmp

                                      Filesize

                                      584KB

                                    • memory/916-59-0x000000000BAA0000-0x000000000BAB0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/916-66-0x000000000B7B0000-0x000000000B7BA000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1172-44-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

                                      Filesize

                                      24KB

                                    • memory/1172-140-0x00000000043E0000-0x00000000044E8000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/1172-147-0x00000000043E0000-0x00000000044E8000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/1172-139-0x0000000004840000-0x0000000004963000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1172-175-0x00000000043E0000-0x00000000044E8000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/1172-45-0x0000000010000000-0x00000000101E5000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/1172-142-0x00000000043E0000-0x00000000044E8000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/2060-153-0x0000000000400000-0x00000000007CC000-memory.dmp

                                      Filesize

                                      3.8MB

                                    • memory/2060-113-0x0000000000910000-0x000000000091B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/2060-114-0x0000000000400000-0x00000000007CC000-memory.dmp

                                      Filesize

                                      3.8MB

                                    • memory/2060-112-0x0000000000920000-0x0000000000A20000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/2460-120-0x0000000003ED0000-0x0000000003F21000-memory.dmp

                                      Filesize

                                      324KB

                                    • memory/2460-119-0x00000000023D0000-0x00000000024D0000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/2648-146-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/2648-181-0x0000000000830000-0x000000000089B000-memory.dmp

                                      Filesize

                                      428KB

                                    • memory/2648-148-0x0000000000830000-0x000000000089B000-memory.dmp

                                      Filesize

                                      428KB

                                    • memory/2648-143-0x0000000000830000-0x000000000089B000-memory.dmp

                                      Filesize

                                      428KB

                                    • memory/3208-150-0x0000000002820000-0x0000000002836000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/3208-4-0x0000000000740000-0x0000000000756000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/3416-25-0x0000000004980000-0x0000000004A1E000-memory.dmp

                                      Filesize

                                      632KB

                                    • memory/3416-26-0x0000000004A20000-0x0000000004B3B000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/4184-82-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-72-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-81-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-97-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-98-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-94-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-116-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-132-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-64-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4184-67-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4340-447-0x0000000001130000-0x0000000001140000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4340-253-0x00000000078F0000-0x000000000790C000-memory.dmp

                                      Filesize

                                      112KB

                                    • memory/4340-60-0x0000000002CC0000-0x0000000002D53000-memory.dmp

                                      Filesize

                                      588KB

                                    • memory/4340-233-0x0000000001130000-0x0000000001140000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4340-317-0x0000000008990000-0x00000000089CC000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/4340-386-0x0000000008B10000-0x0000000008B86000-memory.dmp

                                      Filesize

                                      472KB

                                    • memory/4340-231-0x0000000001000000-0x0000000001036000-memory.dmp

                                      Filesize

                                      216KB

                                    • memory/4340-434-0x0000000072D30000-0x000000007341E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/4340-433-0x000000006BF60000-0x000000006BFAB000-memory.dmp

                                      Filesize

                                      300KB

                                    • memory/4340-436-0x000000007E9A0000-0x000000007E9B0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4340-437-0x000000006B990000-0x000000006BCE0000-memory.dmp

                                      Filesize

                                      3.3MB

                                    • memory/4340-431-0x0000000009890000-0x00000000098C3000-memory.dmp

                                      Filesize

                                      204KB

                                    • memory/4340-439-0x0000000008A30000-0x0000000008A4E000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/4340-444-0x00000000098D0000-0x0000000009975000-memory.dmp

                                      Filesize

                                      660KB

                                    • memory/4340-446-0x0000000009AD0000-0x0000000009B64000-memory.dmp

                                      Filesize

                                      592KB

                                    • memory/4340-236-0x0000000001130000-0x0000000001140000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4340-237-0x0000000006CB0000-0x00000000072D8000-memory.dmp

                                      Filesize

                                      6.2MB

                                    • memory/4340-240-0x0000000006B60000-0x0000000006B82000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/4340-245-0x0000000007450000-0x00000000074B6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/4340-229-0x0000000072D30000-0x000000007341E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/4340-246-0x00000000074C0000-0x0000000007810000-memory.dmp

                                      Filesize

                                      3.3MB

                                    • memory/4352-5-0x0000000000400000-0x00000000005B3000-memory.dmp

                                      Filesize

                                      1.7MB

                                    • memory/4352-1-0x0000000000920000-0x0000000000A20000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/4352-8-0x0000000000900000-0x000000000090B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/4352-2-0x0000000000900000-0x000000000090B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/4352-3-0x0000000000400000-0x00000000005B3000-memory.dmp

                                      Filesize

                                      1.7MB

                                    • memory/4368-170-0x00000000050C0000-0x00000000059AB000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/4368-169-0x0000000000610000-0x000000000061C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4368-156-0x0000000000610000-0x000000000061C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4368-297-0x00000000050C0000-0x00000000059AB000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/4652-154-0x00000000050C0000-0x00000000059AB000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/4652-173-0x0000000000400000-0x0000000002FB8000-memory.dmp

                                      Filesize

                                      43.7MB

                                    • memory/4652-445-0x0000000000400000-0x0000000002FB8000-memory.dmp

                                      Filesize

                                      43.7MB

                                    • memory/4652-149-0x0000000004CC0000-0x00000000050BC000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/4652-248-0x0000000000400000-0x0000000002FB8000-memory.dmp

                                      Filesize

                                      43.7MB

                                    • memory/4652-299-0x0000000004CC0000-0x00000000050BC000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/4652-264-0x00000000050C0000-0x00000000059AB000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/4892-31-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4892-33-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4892-27-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4892-29-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4892-56-0x0000000000400000-0x0000000000537000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4924-234-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/4924-121-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/4924-123-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/4924-124-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/4924-125-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/4924-223-0x0000000000400000-0x0000000000465000-memory.dmp

                                      Filesize

                                      404KB

                                    • memory/4924-186-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                      Filesize

                                      972KB