Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2024 19:40

General

  • Target

    SWIFT TRANSFER.exe

  • Size

    1.0MB

  • MD5

    397cd818297d991cdd6497572d261a25

  • SHA1

    11cc48c47f1aac9af6ed1e15f66bba98899581b9

  • SHA256

    0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50

  • SHA512

    c683a1327f887c8e82eb032df862c84e3faa58dcfa9ff37ad5d7fd6287a356e59ae32b8512862f88d03bf8d63b71a95682343c8d3d982f76c3ce398371ebcb4f

  • SSDEEP

    24576:pO9cxPuT2Vj/wgFXRtl+btB7QVdWfXDE1MIz53u:pOV6Nz9YbATWvDlIN3u

Malware Config

Extracted

Family

darkcloud

Attributes

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Detect Neshta payload 62 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"
        3⤵
        • Executes dropped EXE
        PID:3360
      • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4484
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuQWhxmyGNWUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92CA.tmp"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4708
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1404
  • C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\GuQWhxmyGNWUd /XML C:\Users\Admin\AppData\Local\Temp\tmp92CA.tmp
    1⤵
    • Creates scheduled task(s)
    PID:4128
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

    Filesize

    260KB

    MD5

    f3cd2d985d64b5eab16cffeabf95bb7e

    SHA1

    39212f6e9046ba61e4607dddb163a50e6dad24a2

    SHA256

    27f3199b98ad06c7f4a1997e3b4a5f93e48ed2bf6a35306077b4edbddc3c7b8d

    SHA512

    9b8d2df8a7b1dcd618e4f63e9ee2c0a5df272ab1bd03e0370c57e175b667e246345b42a3029a573d6a1b0ee1699bc284e933c6f59f084c7d4a1808b3ad131eb5

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

    Filesize

    265KB

    MD5

    3b1981a0cbb29d94a178a9bd0b183ddb

    SHA1

    13274c8a3f4b3f5be92d233205790070f2068cec

    SHA256

    4dce4713111a5016486beddf37b02234eda10e163f32376c3961d6805a42f5e6

    SHA512

    2ecd753c01fda558d3efbc0a0ecc7120557d5d7021c0b68a49a57e8aa80f937fc3a1dd19050e35f0b2ae1d74b1d755ed6c78130ec8dec75b033c60bca7a1debe

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

    Filesize

    175KB

    MD5

    576410de51e63c3b5442540c8fdacbee

    SHA1

    8de673b679e0fee6e460cbf4f21ab728e41e0973

    SHA256

    3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

    SHA512

    f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

    Filesize

    163KB

    MD5

    61c05af7f12d5eae1543fc298b3ca270

    SHA1

    84bc4184d88b0a92a6a43d4054849d410d11958c

    SHA256

    d2942064f91abe728b330f93a01133f4020ed6c347fcd39efa5c47e49410d682

    SHA512

    691d2a8078d2f7b3956f30352e586bc5c0a8690c7404cefab47a86122d4fa9cbfbfd8fcdf622e4fd56d4c4cb4646a48b18dea308e21a0750ce6551628c3289dc

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

    Filesize

    309KB

    MD5

    1a0c49ae9c776ab7d1fdcbd4743cfea6

    SHA1

    28af3c9a21753029edec9fae2fdfa05ea5a184c5

    SHA256

    f4b6e8632c0c9ac0ce2032c20553f3625d1f1dcc5f32ea3fc599c0aa7e1303f4

    SHA512

    7aa31ba45c1ba24a3cf9b25c9f418523f92ff8816015572c75c81ebdbe0a331651185415e193a7b63a635bb3aabd0cf1c73ede85cb0de77b4e99929d1b9b4602

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

    Filesize

    244KB

    MD5

    752e4762c3f8205f1e2534b7012bd85d

    SHA1

    32b184da45ec09fcae0d2efa7a9d28b2b1457441

    SHA256

    2ffd7bbc194fde52cee82ad64ebe1eaa003c28b2dbdd939a7d8ebb6e405abdaf

    SHA512

    7c3dd67816b151f08bdf3e540a672ff29ae8fa953d5f4fc6f2f2d568bb5d6bbe20d3afe9643ebc88144932ae8b36318052669359ec77433ed8df16ac3ae3c911

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

    Filesize

    174KB

    MD5

    4de1e6679e0432e77e8672c01e37a315

    SHA1

    c45baef455bc5aaab7b842a5c9b9a01e732be79f

    SHA256

    26fe38fd4dad6596df71848ff809185249ac46e6120bf944c1cfbe643879c5dc

    SHA512

    04414dd47db9b622df3170c02f88ccc56fe4d859f8cf79f27001d8d319a3c211b1c58ee1addf7b8eaada617e96f64a9f5700a20d5e530cab46a941aab5e20f38

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

    Filesize

    131KB

    MD5

    5791075058b526842f4601c46abd59f5

    SHA1

    b2748f7542e2eebcd0353c3720d92bbffad8678f

    SHA256

    5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

    SHA512

    83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

    Filesize

    114KB

    MD5

    a248b9bdafbd3dc1ed19eebc9f1c53db

    SHA1

    e01d26a747894f8fd0c07b01c98a2eb719ec9755

    SHA256

    02e356749e9177ddfd015e9b1d2803ad577c468a522a304875bca47a87dfd4ae

    SHA512

    a0c771d68925d8effded646df861a2f812e3781c5ef829c41e309dd914603a413c86d9928c74e63a02a1f3d78956bf14eaa3f707f687a3299465c700d2f7b62a

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

    Filesize

    368KB

    MD5

    b086b18ba5da00f0672481b626f07ff0

    SHA1

    6e32be14683e5e3dc0358a67baa6269058dd215b

    SHA256

    18d046c2d6d64a5c1987cc1a30a60eb8a450f85e3009ddbb02600f4571b96091

    SHA512

    d23f9d2f8f3aa15a8ae0073b248fec5cf4efc95a50e5e46abd6a064594fd3d950eb34de923855c427645b11a737f187be94043ab4ebdd1ee1833c5a9801f70f5

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

    Filesize

    59KB

    MD5

    96808828e96c3040e43686d231350625

    SHA1

    eafb973b93da598cc99463909f68a3c9a8bfa4d1

    SHA256

    1d1b6c060cee6851ae9d263931a79f15093b283e49b748d7d3689e6fab594869

    SHA512

    f8963e2e573441e25d181284a308812081cdeda732e9b8e786ea54a26396a8744e1fb49ccb4f787dd4c88dfd749e20844a1785be43a0da1399e74d4121712f28

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

    Filesize

    147KB

    MD5

    3b35b268659965ab93b6ee42f8193395

    SHA1

    8faefc346e99c9b2488f2414234c9e4740b96d88

    SHA256

    750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

    SHA512

    035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

    Filesize

    125KB

    MD5

    cce8964848413b49f18a44da9cb0a79b

    SHA1

    0b7452100d400acebb1c1887542f322a92cbd7ae

    SHA256

    fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

    SHA512

    bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

    Filesize

    48KB

    MD5

    e4e70240ef1dc911be637dae6104a572

    SHA1

    0c5f6b4599fb4382a9ef2c91c62c95b92f8bedd8

    SHA256

    b102cec9028ddb1d9d4dd21c1b684e77cecbb0dc9fb02a13ed858da7d552600a

    SHA512

    c2b3eb31c0814633958b63ee083e47b93bb6daf676bd434f0aff8b20794365813b4306f3645251372b198d08c3714a565828c0cec4cc5e7b0ba3c8dc4e71229f

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

    Filesize

    38KB

    MD5

    dc1a217d34f60a9fd7491fddb08993cd

    SHA1

    384245abe403cc3a8177286455888605dc8ec228

    SHA256

    bf4e00646354b6e7fe2c3430a42bdbfcd47820de6ebc44292f354484e8be64a5

    SHA512

    312402bb2855cac131757c2e9e057d1b0699e6db2e49cc017fc4b46c9fcdd6fc5cd459c35c98a609cc62f3edcffd2cfc0203435d326b3e34a150fbdbd3776655

  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

    Filesize

    170KB

    MD5

    f0256ce68b53ac506b9c4d7091a4b224

    SHA1

    60efd5b468170aad52919f2a174e142e5ba2b27e

    SHA256

    7e0f709d8fd2601bbf61d2390aca7f5dd075752c9bc61ee97afb15f5d703b04b

    SHA512

    2896627241c7fe0a8c7326ca11cf9e6144fdd443923c77853c97990df9e3b52b9af23f2deb518abfa437314f91274f7a6b0a1d9c928d7812f807f95a59eb7de4

  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

    Filesize

    51KB

    MD5

    2ef6576d04664ef8618aca664588fdb8

    SHA1

    f8a44e82687accbb18f762019f80c9229c71dcca

    SHA256

    92a1975c0f8190a0d5b6c11ec95b9a39b1f8a56c3c9db4f4857dae6d5d49e0b8

    SHA512

    1f5553050cf8a1c73a533251589cfb6408501f9930c87d133d872bbe47902621946d55f914c07cd23034d293bb395f3c831aa1728f5bdf0090504d0e2d91ccd2

  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

    Filesize

    141KB

    MD5

    13f02d1b119a609f2444c62457855fb0

    SHA1

    9497db57581df7370715f0cda6d2faaf12761773

    SHA256

    611b4c4a80acbd5b44b05045d99f927ccd281a88115f13ad5c5044c83b9b7961

    SHA512

    ded904c2bb4be52fc907b7b0772c2ef24ddb25e92ddda2ba34f69b56e4829d787bc14067065c9963af04a28a180e85e349b4b65a10eba7c8d325a46488cebe77

  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

    Filesize

    149KB

    MD5

    e6e17f5b5fb3cbf26627f2202e56a408

    SHA1

    361173c64e3d4d73aaa913221e65d50a16b47a86

    SHA256

    54e72aa80cfc9dc96eecc64924d23f877d47e8ac597d088d793ec88a0036b3f6

    SHA512

    efe04477c8a6cf2b97dbb36f9126ef0997865e6c41b07ca63adcc7b6704ac5cb3555f8a9609ff299e353d3990c4dbeea696d72b423a435f4be146a563021c745

  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

    Filesize

    146KB

    MD5

    d5844dff8bf863c961c5b6ced94eb9fd

    SHA1

    f3f5fbfb1e036d099bf137099d71e4deb4a948e4

    SHA256

    02103426cd35e0c4b669b8014eb5ce9717342c59736501278d1d63d5197a990f

    SHA512

    56a725db0ffcb068d66455fe6478a2dfe61bf4e9f915ca66f8a20f252042b6b385f79fa257e9d78ecfb39e34d716d002d982c68672967700185ac625f738e038

  • C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

    Filesize

    71KB

    MD5

    c17e445400c9061a285d9e20f222771a

    SHA1

    656a8b36f419a6a3a9d96331f9c40747160262e3

    SHA256

    66938c27470f7cbfc7eaadd05c4033a8d725b59e37a8f6976528ed28d743ae45

    SHA512

    1f1d3c683ffe0bbd58c667c95f28bf39017861cfb9a664043384b9e8bdd10bb2f4b8696f7e6025add888bc3aaf2044ffcbe93f8b7fa9a0081645ae8e3e49056f

  • C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

    Filesize

    169KB

    MD5

    3ed7bc1bdf89a89f5c67df3cade86741

    SHA1

    7e74c91798c9a343bd555e6c18538646cf33b2fb

    SHA256

    d4a35ac7e092732eda1db2619db692a658fa3626f8e5029b8630f884090bda96

    SHA512

    bc4f6a2df686c2a130c43340c3a1d860515217c0c18fae1e8bc54877a3e0d1b4fa4b465618185f1060a31524d367b57556bb4bdbd488f26cfb234d99278eab87

  • C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

    Filesize

    90KB

    MD5

    46399623033e1f9755071de71585d002

    SHA1

    d16c9d26f5094510ca9a8c86dbe04b0e0f95a6cd

    SHA256

    aae54114e87062fecdc6aa35a2594ee25f564be8eac6f184343f0c45bc561645

    SHA512

    467b241d00ce867d3fb329e304d805ab0dd494fbe5590e6019dab7707733bfee18fbfc77e866308c496b347d01918d8dcb3a9ea15e20f4ec8a4fe66763eb9174

  • C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

    Filesize

    95KB

    MD5

    9e488e2e2d612013897341fd2e282f3d

    SHA1

    0136cf1e708873a1248752273f88f3283e58486c

    SHA256

    b8d522c90a85ff76b2db0247aa4ce295e9f530e52a0d3a915c5b74e9d09b47ee

    SHA512

    2c0c0e8c6c38bf862e3e0cbbdbf144e6bea2c2e53f59647da8ba8cc3573985ab7508071af2811210794e575f5c043b3ca2b392f3990e36739d930dfa2471bb75

  • C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

    Filesize

    142KB

    MD5

    d6eb5be4bedab55ffb9b49ce09c3986a

    SHA1

    003061f4c0c30b8306be3abcf8c428ae7e8f818a

    SHA256

    7f3ccdf2d14acec4111ec251a9e6f1318fff10b7aa17548da14e48ef0b8af055

    SHA512

    4728bdcc11fea649d5c931e3db641a0deaca02adfd0a9cc9bc9a543ba5d10f6889c42f5a893d218e64bb2d6410285d6a0faba2c9c0d60d411bdaf94de7baab98

  • C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

    Filesize

    98KB

    MD5

    88137db8be2c64745ac2ad9dd9b6287b

    SHA1

    b859bc361290b671ef4ee62e100293b7f0b85f41

    SHA256

    d0091855063537eb6b02b7c7a3fec849cf768df8720ebf87ba0580e8e2d2ab52

    SHA512

    f395e11f0b9e6b86fc2b33d189faa5317c9d4b7e49a905ad12aca5b0ca1f99c09870a2d4d5a49ec3f5a60da63fbaef0d25b338d5cf699440eb8360fc0892b0cb

  • C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

    Filesize

    135KB

    MD5

    29ea03d318c604b51ae4ec4daa32ae49

    SHA1

    b0a11a47223027daf26279e41dde80fb8d589e85

    SHA256

    23d6faec677a16b404dee1ca4a49bb89c44ed864d787881a3d32487a67d62926

    SHA512

    a8221c487ffbd870a955893e00b9dec5ff6fb130d49c6aafcea79286b52c9f54d716f5404804a53d13c7c619d8f61ecb08f745465c09474a55f27bcc03a7ff1d

  • C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

    Filesize

    96KB

    MD5

    2a73c56a784d4793929edb36cf7de2c4

    SHA1

    7b819f239402a78bd22e37851f88fbc09350f461

    SHA256

    18e0664ce7cfd8b342150a5e92dbddf7ec2ef6a303ca4b34521b5255d6b1ebe3

    SHA512

    ce383f52d1f94d281e0f5cb6548221a6e9ed07aafe739f10e53d7792ec8135775fd86d0d67b280ee9dc2eb681920350b365373c4c37fbf97b5cadb5a46f7beae

  • C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

    Filesize

    133KB

    MD5

    3de5bd5582ebe49a35480579fdb8c551

    SHA1

    c2c830a7dc6681605b246f977b013f5fa798e998

    SHA256

    f5fd593c88c549288c5c9705a60ed20f4f841a02fe266dbef57f0c4fe24149a9

    SHA512

    d67917cdee8fafba1d7d3adf35274e0876698a9fb0a0f8c5e10658994d7d464df859278b37834b45f842b9b0a557bfa250116fe36e4079b8a3f579ba68b1ebf7

  • C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

    Filesize

    131KB

    MD5

    d14a523dc3546d6a5425e2f047a151c4

    SHA1

    f91ee3578a63868bc63d1ef4773032c89d12767a

    SHA256

    fb78b29cb8798c8a0db1a2242c4e4a1b1e6a4964b1c69c48a9636d7311935578

    SHA512

    b4fbbfe15b99230b6cf43dbc80cb90500b54faa776b3e65aba57b183732b25fbea7156abdf7b44fc433a55b408e7cc9e10772a2920b60186173489444e828cf0

  • C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

    Filesize

    141KB

    MD5

    0f75f8478ee441ab42d10f0803b4a895

    SHA1

    755c3ca2788ad6bdb38ec8c263abf39c43314342

    SHA256

    27c8bc25efd0699f7065e606fbc6b2535cadd12784d33ebe1f5476ee68f0ad67

    SHA512

    516faac27b5a5daec417912173910d4bb174922dfd12f2ed7c1f42c7e464801de0596196df5cf2c89c47e821eb1e6d8a179519a7fe3a422145f5898e2511c29f

  • C:\PROGRA~2\Google\Update\DISABL~1.EXE

    Filesize

    126KB

    MD5

    8e8ecb92923b2e4ff05f6144bffd0e54

    SHA1

    3397cd279a47cfa09e70b1e7b1a3ab84d90372c7

    SHA256

    65a03ada84306bdb4845da96d458c3a662ceb558f81c4fc5270129cb247fded5

    SHA512

    ad124a65724ab35d4a96d054427c557f30ce9d0c0f5b2ae1afcae6035371b0f8fe7cf7bdc49d4699936d6ba950d7bb0752a31c713cccae039326d23941236745

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE

    Filesize

    107KB

    MD5

    74f6cad55368e5734889114ebfde53f8

    SHA1

    9c87ae5c7bf0a7dccaff42a55d66f8fa60f450ec

    SHA256

    b738764aa0683fbb6dd37a5def637ee7c70c5a6c98f9e9aea6d709b19784878d

    SHA512

    6ec6968af793730e7d75e4a7b433fd9ee7f268d0f684cd7589232fd2aa0b8862998cf48cead119803b47a5a5f155529e294746b273d34e9fc247daf016bdac05

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE

    Filesize

    68KB

    MD5

    c68386950fd8a6e5818f29fb80d2b0d7

    SHA1

    25d371d09f5356cd5a8ab64f27f74ae4ae066ee8

    SHA256

    85ba90c574f4e8dbccc90d8f4b5c0b84c567a55efc97c7c0dbff30f6e3f17c7d

    SHA512

    814d848083aa5667061e1880cc66178f3305397f739d31a70ca1bc7ac25e06926ba4bbc8d1420f8a97966c1b26221ffa1b6a67f81c91ce0bae86c4b7a2470afb

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE

    Filesize

    62KB

    MD5

    419689ca27421c9e088617cfee9cb74a

    SHA1

    9ccb7470598c571db3e224b0a034f65afc0c52d3

    SHA256

    5bd7607580eaeb48a6db920c512549e77e7f46660514dc1c74fc18217719b8fb

    SHA512

    00ebf01277f1706246d60092c1e608af3ddb46829f9896851035b7198bfc789d1ab5ca70105885458b07062c0cd1ac70d277b0347ebb56f7fae1dcbd411f5433

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE

    Filesize

    137KB

    MD5

    de8842ff9072a16fc9235985945edb47

    SHA1

    6da25bca054c70cea595e799fd6e9ef6be0fde95

    SHA256

    6e37e9ab837362231a25908a9d7da14f50e2865cc48a55f2f844a6bf7e8ab6df

    SHA512

    aaa8a688371e57a28c8cf991c9580e9eda8cba4aa2e495a130881b86ab4ae6bb93c831be0a3756dd4fee33bd0e8c89f3c821449e5056dad4a2dd9f9622e7d683

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE

    Filesize

    100KB

    MD5

    da3147407a5d64e7142aa19feb0beb23

    SHA1

    253281ebdfddd22823018eec66322801bedf691d

    SHA256

    318d20cfd1d1f44dfb0590c0456451f55bdb527a40cc5033ba2a1d68b06241da

    SHA512

    96a87dadcdf40d56de45fafeb8f45d690df3087c8e1aa13da30c34e8ece530e03454728317d1dc5a4f9774da5276fec5062aedb115f89253b2cc562ecca7e39a

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~3.EXE

    Filesize

    101KB

    MD5

    d4a6b9f3eee3d2372e3f56b83118ab79

    SHA1

    fba093c616f26d98e61b060cccae4ee1238650e0

    SHA256

    82a220ed12b2c0a7025eb5c8279dda652935396e46c47c9f6b655770f38f6312

    SHA512

    f55094d83da840a8be0c5aa56222518151037915501e3b7de549d27cd945f5039c391cfeaee36f0c940bbeb839f49fd7177fe483723d0e7144cfd19b9642dac5

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE

    Filesize

    181KB

    MD5

    64993350f219606d789fa3b6eafa57b5

    SHA1

    45caaecc23d0e8a3016b5948d5190916af057306

    SHA256

    2e63c06526aca478979c136da6f50c4dacfdbd9abcda47edb7ae9ef868e4ca3e

    SHA512

    0b501c5cec7e47b8d02c66c8114acb120603f5284b2994d8818798fa25f8d404be6ebe45c1869d5371e508fdf0e9b99f6d4db9c3f42920ac357251e773cb5708

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE

    Filesize

    76KB

    MD5

    f4e9fddeed748d8605e70e996c65007f

    SHA1

    527eeb71059c82444ec46b6cf384ba86d2e2fe6e

    SHA256

    d8148636a3d92de35a099d47fbc1effc875dfdc4d6c1824391277cc740e3c652

    SHA512

    2e1dc330160eb6af188854f879b75e99144b02414ed6559b5be602de50ae98086c997807093e8f3a7f2c2794f9bd0af89d0a43374f1171da295cd6cded28fbde

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

    Filesize

    108KB

    MD5

    c4c8ae4fe90b688cb5f338c79f075fef

    SHA1

    98f14c679798c5d3c62425eccbaafba099e94f33

    SHA256

    02af5afa032ebfb58de07b4e031ad809760f78f63df86437dfc196545ab99746

    SHA512

    3c03ac3e9bd2ce27e577133b8c337b3c8e54df17340c13110b1fae881200bedd42f5caf969be758c23218a4b241f440a9a505e5203c96770fb6bc4ba2bae53b5

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

    Filesize

    100KB

    MD5

    d1aba7f7bf7bf9bae97b789044960654

    SHA1

    a6e95f1ab0d680bc1b5cf2963e0a8a75ee6c0154

    SHA256

    0e58e32c5909f564e74678aaa5ab57306cb20b6e4edb896df65a7c95cf2f48f9

    SHA512

    1822fe9fbb092b98fd27c07f662c595e50eb3e8f36ee172b1cec1f02d6a69e2ad97079cd901f835cbc7981304bf31aff0933e525bc278a4695f207640eb9be6a

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

    Filesize

    18KB

    MD5

    2d49bb3a3f2b015ccfb60d49d1e0d691

    SHA1

    57d45590e48762b7cadd6a7ccf59f2fb64739c51

    SHA256

    21052806069b6db0cd98cc1aa3cb60d8c7b03ad2400ab87dd70e4f6034bd76fb

    SHA512

    858de1c3ac718cbb6534968f319942c69f1302841a7099c80485a248143d74ee7b21070e699ca31446a4b57d9b26d5f3362ca6833ed42e2471153d7828e9377e

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

    Filesize

    117KB

    MD5

    d2bc239dda3859249b867278e2254a85

    SHA1

    3807473189eab77489d5d6b3942a7be7ec348db1

    SHA256

    8f4a0e7db7dab5a6de59818e6acd9d0667d0b7f362788916cccd3efb2a7a6a08

    SHA512

    989788f98ca3c5ac2f2ebad085e1342399ff5b41ecac7acdaf51d896f7b9a163a969141dff0c8b969a27c6bb2b75627c02dc36965a3837a9307e5f076bd46b7d

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

    Filesize

    91KB

    MD5

    a4d9a6f2ac3a78cede96f870ceaec348

    SHA1

    bca938f62d25e38625595d3673dfadb85fc97617

    SHA256

    d12834bf94cd3174f1cf819219dfae903c89b727694bff1128607a8f524bab84

    SHA512

    e09d3ee4014ee4bf7a2820cc0aa9714e9070034e4c3d8c38383779b6515a09705c62e5a159739fefd6bc425e0983de7ab78228daa540a3a563a3a9e10a9bc44f

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

    Filesize

    97KB

    MD5

    e9f9c5c459b85ea688ff3dc60d553ef9

    SHA1

    a9d36b9ba6b18d064ce13ada5cc06e4e43ad7ef1

    SHA256

    c3023aa0d90985f43f9e045e4b963d99545d3efc0363775d13d6dea08ee79746

    SHA512

    0a92314a040e964d2c2497b33fafdb4bc7f41f3d3c44312e7d4e375079ca30f058ce9c4d493277052b6b5da9000caa03b326f9ede8f2e27e5d2b35825ed6c559

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

    Filesize

    83KB

    MD5

    9e1a927a34f882f34975164d02820770

    SHA1

    394cbc285a48166ac8bd9a69d55ea4b4ca69111a

    SHA256

    8f8851605212ff745f03f005d1d9fead7c7a84120a094844e3a625726075c7b9

    SHA512

    3f0bd52f0eb800ad00955f5bd8db33b8edc3f33cd9d55d0ea333e89dbe867e41e6715c8374e8a550db3aca7b390c6d26fe0c6e59b8dc019df21283052c22eed9

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

    Filesize

    75KB

    MD5

    6be313ed50651e007f7860ba7e4ccbfe

    SHA1

    d9a1d4df1ec02e03cf98c076d5f8a5f7cdcd4b1a

    SHA256

    dc13ae3dc996ebabe626bf6d84eb914242800d75aeb2a1e78d840c6c61addadd

    SHA512

    c95bf6d86c2a8d7372749cae3af96e139bccbc1268af90561ccc52116cdbd4af0ef7629a22ae8b45938d52c6f04839527833747ced7a915648b4d0f3c786ce63

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

    Filesize

    74KB

    MD5

    5158f8b1e183172757bedfbb6da2e71e

    SHA1

    e1f2b4636892da0a48b51a96b53226275a334e4c

    SHA256

    ab48527afcad556a67291d272ba349645b728fe84b73994ea4a25cb2b45b042f

    SHA512

    97e21aa0869fc21b5b6da7c3e08da404d0675bcf1fd8fd419849222129c536d884a085bac3ccf46a9f9dee41c235737e2eee3a7e58df15bedcfc028d2b662843

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

    Filesize

    119KB

    MD5

    05858188bcecd946a8ac0d37abf1fdf8

    SHA1

    0b308d3365677c8e385288e6fc35b240dbde8d1e

    SHA256

    0acc4a02115037d4742a5dbc7817e58915165ee5b0560e932389e657373438bc

    SHA512

    764fa56e78a120c6ebd540d513b674cee3dbef9ef6bd01bdf3d7870de3ba50bbe7945006a37f79e7ee03329f053d85c03c09722b33968bf29c614fbb1e199c2d

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

    Filesize

    104KB

    MD5

    7d0d9e579e453759c38922786512c0bf

    SHA1

    fe900e7673130ecf23a8b69163bd3c47c49d3bde

    SHA256

    accad3723b5699fd7f329be4cee619800701416ced0fcb3eccc860fc03677e26

    SHA512

    d97d69e2a846444171ac3a0a7dfe3ec254b6046a47e988847afd7e812c679717c40a39ad3bb326218b5c92a59205c01c5cdb60ec6253d3ddab6a538ed81078da

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

    Filesize

    47KB

    MD5

    cba155d87b840bc085974b8e045e3025

    SHA1

    8be8e26ec0722d07279fbac06126ebb7c7959870

    SHA256

    39ac3ba36b6ce8f83f864be65e0c00d6ad3963d3af0748c42251885ddbb530be

    SHA512

    bab9066ba460b54a178520c3849c8e19f6305fcdf80ebf783866f90396a0d6bc03cbcf61343a2d55c3a312334f38c048274117106a48207336a3a1580b696a63

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

    Filesize

    52KB

    MD5

    de84d898cea837f16a5e21b47e69cdc5

    SHA1

    4d17030dbb19666f2c487153aae731c0af0d1090

    SHA256

    d702b852bc2e75be69441467a3d68c62e5ecab1bdf5a4f540d56c9114f555e18

    SHA512

    8f97b8bef6b4ad7f4a415f6e6bc203b4a7c709ff937dca5f0f6157dac86fad2aa160c6a61584817abe0ba14c313999dcbb7ebfeb36a3157c8233c1e3209238ff

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

    Filesize

    87KB

    MD5

    699e48bf610ce9fc4d4d8794036bec20

    SHA1

    ecd665967d300075b38a59312e47a5d3514cffa5

    SHA256

    e8b1b5d28be1b6722cd9a477c9f5a6de74e09fa701e206e689d5537839d917b9

    SHA512

    782b4c9e6f898d2159026996121c8fcf12206068640c2c0f548b2f48e1316469cf1d92555535317d63e0ceafbaf6dffcb3879b7613a12d7ebc0f554f317ab6c8

  • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

    Filesize

    871KB

    MD5

    62f7b8f9f22ebb9759305ccaeab9b49f

    SHA1

    9026f3bef47000d57bd672baa8188c535d53cea6

    SHA256

    024ebfbc1b1b9ca1d1eb0a4da0b2142ff5c1e96770274655ccd93554b642fb8c

    SHA512

    2900a02e56298b80e321ed39e6861fa7fe5d43aa891af15712f56d4e80ea907fee486d7e1a0c2aa4559fbb8bce4328d0fc6818889267e161f0ea8bf1e477b50f

  • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

    Filesize

    201KB

    MD5

    b90cb2997bf1f32e74d2254d6dcd6b5a

    SHA1

    4c2c79a8a1d4260e9167c200477064a2af5d0dc1

    SHA256

    914378f60ced6db9bcaae8243379acf33a3d7dfb6deead1b37f0b14e66317721

    SHA512

    04a854bcd5d34e615e55460404510e9b6ee33558976ad5d42c01fe8eac1a713b881bedd72cfb045e473ebefe9866e1cb43db87d86ffae2d46b5676df7551e49d

  • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

    Filesize

    282KB

    MD5

    73fe59bf0c98f5081ff357883bc723e0

    SHA1

    e14877585685d5508c122bacb4d47492ab3dfa70

    SHA256

    7ab379b1ec20932b7a7d4f3c8d725e6795a689891a0c40cb5b5e8f8cd075390f

    SHA512

    d789d40a8243fc7b424924daee2b53be28c54593afa0398783294924c216812bd6b2d26b9b98b77955a8029e4a1e06a1401e6bdd62df9fc365793ee229688473

  • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

    Filesize

    509KB

    MD5

    477276bfb0e902249426fb92be293b73

    SHA1

    dabc91da244eb46332cc56f1cb8cab5a8b008100

    SHA256

    9fc5a0892a0bcfb29f4bedfbddb68404187043fa792dbc7988a2b07be25b178c

    SHA512

    f793f43e9e48b7bce81b50df5eea38bf53dfb73f6b3e1afd4945467ead5218cebb15657cbb1fda32673ac5739a3f191783f5de29ec8cac650c95941e35ad2067

  • C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

    Filesize

    1016KB

    MD5

    7f5c94b5e120641ba60ccad05710eda4

    SHA1

    2ccff660a2ef669821c62362efbea99e4e238a28

    SHA256

    e243f9678f50e9be30a9a65971da27b36470bb27568707edcb87a06fffb3e99a

    SHA512

    4a6ab0856337cb35fc1df956d8a5dadbc82ecb19bc8214db3b8e48f068f7d6544f52bbc2493670b65b56d8bbae0f73021b5d8097401e3ac251401075d8614304

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pd1ovt00.itr.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe

    Filesize

    519KB

    MD5

    293fc5fa9beccf9447614ddb8610eb4a

    SHA1

    c3e64bd6f817a04f29a8c56eb322b3f04d867f8b

    SHA256

    e9356f4bfee304253f9ec132f3a06171793e23ebda656a4e6685a4137daa8cf1

    SHA512

    95a4c3890bf4234cfbaa937a691377753e187a33ee82b5c4280fe6de896f72d3e78164aebb3c35cdbe17e18f990c6745bc9de655e99a3e3ac58a17363ad46937

  • C:\Windows\directx.sys

    Filesize

    109B

    MD5

    97a1b4fc59e7f5eeb09640d5a38dda6d

    SHA1

    90f937904823e0a9c5c255e9158bfebdfe5fc38d

    SHA256

    2277d70bef948f4a3d7c49f506368d1127f5634013de861d9432135d87f888cf

    SHA512

    759ee58c3b4cc0a4f7e75ae12c17c0cafe0e20ed30ff8c6a13e85b3f6178f39cec0aa832d61fb3ca6262e74aac33fd2927c00f57c83000982b7e34fa4ae339d8

  • C:\Windows\directx.sys

    Filesize

    84B

    MD5

    b364923878bcdf692aa56a8676909f49

    SHA1

    769dcc85e12af7f22f975a253da496f0a26de79d

    SHA256

    da1f1df88b7c2e8c5634c1d03f8f556a0a5f6f939ed5743b55bc8f41b565130e

    SHA512

    4dd3572efce76b4ba238f576cb54f505cae24b5efc3f860930ac64456f720823f60e35659822688ecc3d98a3083e5e1c8ecf9d957510476386980f5aa44dff9b

  • C:\Windows\svchost.com

    Filesize

    40KB

    MD5

    b062ed524b6ca8adb3d610e1e9ca6e3d

    SHA1

    109f4126d0066ffd4f15e7cd0f9fd88b5caac539

    SHA256

    f2da19edfd2d7adb438eb4042cea781d546a07d2f9c36200202e3f37baa38935

    SHA512

    e7292bb0ea58a0c815f25bff11257dd20e7bf9a5ab2ee3ec5fbb2eaf6682551ee4afc427edeeb1c7a13d9e447121ee1562c5868644a5ed693664aa67605e0397

  • C:\odt\OFFICE~1.EXE

    Filesize

    517KB

    MD5

    36a10fd318d8ede0e051a02fabf45f4b

    SHA1

    6cdae3a3eed96a76d41b0f7294ff8adc5735d7f7

    SHA256

    9f900613c0bc850fd0c1e0041680311d3e1f3ae4aff89b3b0176246fa94f43b4

    SHA512

    215d69923349fa5e140590be69af5427af4f31619086d99c7ce392e96c7c61dd9ff4df7630bd3b674606a55870c2f8ec2071c037c79685c8e2f008784d9b9b99

  • memory/1404-252-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1496-110-0x0000000005530000-0x000000000553A000-memory.dmp

    Filesize

    40KB

  • memory/1496-111-0x0000000005540000-0x000000000554E000-memory.dmp

    Filesize

    56KB

  • memory/1496-16-0x0000000005050000-0x00000000050E2000-memory.dmp

    Filesize

    584KB

  • memory/1496-142-0x0000000073AA0000-0x0000000074250000-memory.dmp

    Filesize

    7.7MB

  • memory/1496-37-0x00000000054D0000-0x00000000054E4000-memory.dmp

    Filesize

    80KB

  • memory/1496-15-0x0000000005560000-0x0000000005B04000-memory.dmp

    Filesize

    5.6MB

  • memory/1496-23-0x00000000054F0000-0x0000000005512000-memory.dmp

    Filesize

    136KB

  • memory/1496-20-0x0000000005350000-0x00000000053EC000-memory.dmp

    Filesize

    624KB

  • memory/1496-13-0x0000000000570000-0x0000000000674000-memory.dmp

    Filesize

    1.0MB

  • memory/1496-19-0x0000000005B10000-0x0000000005E64000-memory.dmp

    Filesize

    3.3MB

  • memory/1496-112-0x0000000008350000-0x00000000083F8000-memory.dmp

    Filesize

    672KB

  • memory/1496-21-0x00000000054A0000-0x00000000054B2000-memory.dmp

    Filesize

    72KB

  • memory/1496-17-0x0000000005170000-0x0000000005180000-memory.dmp

    Filesize

    64KB

  • memory/1496-14-0x0000000073AA0000-0x0000000074250000-memory.dmp

    Filesize

    7.7MB

  • memory/1496-18-0x0000000005110000-0x000000000511A000-memory.dmp

    Filesize

    40KB

  • memory/4484-253-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/4484-137-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/4484-141-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/4708-134-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4976-221-0x0000000006320000-0x0000000006352000-memory.dmp

    Filesize

    200KB

  • memory/4976-240-0x00000000072E0000-0x0000000007376000-memory.dmp

    Filesize

    600KB

  • memory/4976-220-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

  • memory/4976-234-0x00000000028A0000-0x00000000028B0000-memory.dmp

    Filesize

    64KB

  • memory/4976-237-0x00000000076A0000-0x0000000007D1A000-memory.dmp

    Filesize

    6.5MB

  • memory/4976-238-0x0000000007060000-0x000000000707A000-memory.dmp

    Filesize

    104KB

  • memory/4976-235-0x0000000006F20000-0x0000000006FC3000-memory.dmp

    Filesize

    652KB

  • memory/4976-236-0x00000000028A0000-0x00000000028B0000-memory.dmp

    Filesize

    64KB

  • memory/4976-223-0x0000000070230000-0x000000007027C000-memory.dmp

    Filesize

    304KB

  • memory/4976-222-0x000000007EE60000-0x000000007EE70000-memory.dmp

    Filesize

    64KB

  • memory/4976-239-0x00000000070D0000-0x00000000070DA000-memory.dmp

    Filesize

    40KB

  • memory/4976-219-0x0000000005D50000-0x0000000005D6E000-memory.dmp

    Filesize

    120KB

  • memory/4976-187-0x00000000058A0000-0x0000000005BF4000-memory.dmp

    Filesize

    3.3MB

  • memory/4976-164-0x00000000028A0000-0x00000000028B0000-memory.dmp

    Filesize

    64KB

  • memory/4976-166-0x0000000004F30000-0x0000000005558000-memory.dmp

    Filesize

    6.2MB

  • memory/4976-233-0x00000000062F0000-0x000000000630E000-memory.dmp

    Filesize

    120KB

  • memory/4976-241-0x0000000007260000-0x0000000007271000-memory.dmp

    Filesize

    68KB

  • memory/4976-165-0x00000000028A0000-0x00000000028B0000-memory.dmp

    Filesize

    64KB

  • memory/4976-167-0x00000000055D0000-0x0000000005636000-memory.dmp

    Filesize

    408KB

  • memory/4976-168-0x0000000005730000-0x0000000005796000-memory.dmp

    Filesize

    408KB

  • memory/4976-148-0x00000000739A0000-0x0000000074150000-memory.dmp

    Filesize

    7.7MB

  • memory/4976-147-0x00000000028B0000-0x00000000028E6000-memory.dmp

    Filesize

    216KB

  • memory/4976-242-0x0000000007290000-0x000000000729E000-memory.dmp

    Filesize

    56KB

  • memory/4976-243-0x00000000072A0000-0x00000000072B4000-memory.dmp

    Filesize

    80KB

  • memory/4976-244-0x00000000073A0000-0x00000000073BA000-memory.dmp

    Filesize

    104KB

  • memory/4976-245-0x0000000007380000-0x0000000007388000-memory.dmp

    Filesize

    32KB

  • memory/4976-248-0x00000000739A0000-0x0000000074150000-memory.dmp

    Filesize

    7.7MB

  • memory/5036-250-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/5036-163-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/5036-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB