Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2024, 11:25

General

  • Target

    2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe

  • Size

    14.5MB

  • MD5

    17512948ac977a49f9e8976a86873365

  • SHA1

    4251b97ea667160d8d27a4c66eee84cfc8d14a4f

  • SHA256

    1260d3b23e47b2ce5d9445e8e00c90ce36630e8cd6db057f56be10a857fb6589

  • SHA512

    ae70137b427a9b8ca43e60855b848055f5626f204691c23e10bf90dc2345084afbfddbb0b98c42cf30c9927888770efb2ef746b157100ea338badd6cd83b287c

  • SSDEEP

    196608:RZ7dIzfYP++zRtUaYrXwr68+aghNu7XWyBOKl4lCmK2ouuqrR:HWz6oaYrXwr68yNu7XLBOU45d

Malware Config

Signatures

  • Detects executables packed with Dotfuscator 2 IoCs
  • Detects executables packed with SmartAssembly 2 IoCs
  • Detects executables packed with Yano Obfuscator 2 IoCs
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3252
    • \??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
      c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=100.282.200 --initial-client-data=0x2e8,0x2e0,0x2ec,0x2e4,0x2f0,0x1402d1680,0x1402d1690,0x1402d16a0
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4360
    • \??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
      "c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_3252_RRJEXIPYQWGFCKLB" --sandboxed-process-id=2 --init-done-notifier=860 --sandbox-mojo-pipe-token=6426324206669266493 --mojo-platform-channel-handle=836 --engine=2
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3892
    • \??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
      "c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_3252_RRJEXIPYQWGFCKLB" --sandboxed-process-id=3 --init-done-notifier=1404 --sandbox-mojo-pipe-token=6291107651173862812 --mojo-platform-channel-handle=1400
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2224
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:4128
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1748
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1276
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:984
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4344
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2176
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4216
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4092
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:3768
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:3288
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:652
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:4780
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:512
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:1424
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1704
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:4100
      • C:\Windows\System32\OpenSSH\ssh-agent.exe
        C:\Windows\System32\OpenSSH\ssh-agent.exe
        1⤵
        • Executes dropped EXE
        PID:1060
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3500
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:1464
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4380
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:1708
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:2284
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
          2⤵
          • Modifies data under HKEY_USERS
          PID:3160

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

              Filesize

              64KB

              MD5

              a83fb9a0a86632136b44bd2261f59980

              SHA1

              ed4e325c3ea50aa12f0386de810052b6b76b7852

              SHA256

              0db65c016bc24c48d4d405d7ddf541a3c15d343c4527abde47e133a479817a5a

              SHA512

              3a0f80e094e1165a5964bce3fe4ab22bfedb299b3185c27c10e7a7fd497b365b3dc14c7f8ea9585815d30be50ff4b32ed426c7b312f3e34aef73f692a3ed408f

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

              Filesize

              1.7MB

              MD5

              484ee7e7d777b17de22ff631718dd8d6

              SHA1

              b1cbeaaa5fa31c058c26c0cc49e2870d71c65c75

              SHA256

              07043b1e08c994795761d506334f27293e29c7e1551f3d5a3b9beca0979a010c

              SHA512

              b0e9e8bad69b12858f923569615b6b76030b6dc34493455c5c4c76959fbe88704fb9ea014ccbdc1cf0aac969788788dc4b07adffdac23833687e9b9ae14b6684

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              2.1MB

              MD5

              fb0116f12d44b56f5d20074b065f72d5

              SHA1

              fb672f2e08a4d439cbeda25fd3e4dfacc71aa118

              SHA256

              01878dd92de96573973838d9b07bfa7985947c980a89e3af035e07837986a7cb

              SHA512

              630880f5b3c002f09c4f6f1e042af2888b7019a22030229b942d8f5d2d24db954f886b01c7ffa5311376c2ec3686a4cc3d7449f94c38625d0e1c5211e6ad0198

            • C:\Program Files\7-Zip\7zFM.exe

              Filesize

              1.5MB

              MD5

              a9e723fcd443b640d87485731cd16517

              SHA1

              6dcee9161fe0d633dff36096c730a6cf45e33dc5

              SHA256

              52858693b4321b2e0a14b3938f238b7022da8cf75bacdfaa379fa1244ab517df

              SHA512

              53daa5066e27f3cbf2359600f1ee02235be3b4bd7f85f4f9ecaed634558bf1d1fbd1e19c12148714db229b09b4fcac51a5c702d9798531c3779c850c3346992e

            • C:\Program Files\7-Zip\7zG.exe

              Filesize

              1.2MB

              MD5

              bc06fc863029e39778315f396a2b9b8f

              SHA1

              f0a1b8b95cb2c148ed63bf63f50ac3aa5d59a37f

              SHA256

              9a91aa9ef42e5ab9d0fe69c1c831625bd2197a1fc43c81990ab621e08b537b3c

              SHA512

              b97c77a61844362e45221f9b8c72dae875ab466228d9dc186c7a77ae6a2838bb8968acc27864b2761d175f9b14d2ff033e46e06eb18868a8e04f7f2f562ab57b

            • C:\Program Files\7-Zip\Uninstall.exe

              Filesize

              1.5MB

              MD5

              515a5826eeedb40d34067a1a9deae695

              SHA1

              4160e686a767da344547f08db9432e360ab333f3

              SHA256

              d0d953117546f5e18633c13640660735cdb3e938590d8ce45d3d718c3eb4bcad

              SHA512

              db7df89967aac9971a9848ef4335c65b0c1fddf26a9b1e1e8a6bff7d7eb11b793c46526801ed5c9bc26aedac5776d9f250767e48fb40ae84951008f7209cfb4f

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

              Filesize

              1.8MB

              MD5

              6d3de24d8ad67a1edb74b57c377207ff

              SHA1

              ad53414926c050d5e9fc362a586bbc210f30109c

              SHA256

              17f358227a29715313ccee1c72efd532f5523a9b4c8e0dd926f2b57cb7ba0e51

              SHA512

              6565d90f8b73d09618643560210a8a1f40659c731e4df65136a24bd86853c059a55c7c064ac61bca9fe1b96fdde59d724d82eddebbd477d99899b14d9ef39eed

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

              Filesize

              4.6MB

              MD5

              83da0a240e8fa44d7e8121af582bbcbd

              SHA1

              ad8d5aa123ec7d6bc36970c27870b4c7faa48622

              SHA256

              a462f605feb24270b063694c0e7ac08e787d6c9bdca52460494df85d32cd9263

              SHA512

              dbc25591f4077306931c7a05e73d7b320efb0ea4d8b32cb882be12b9a69ac77030ed6789db6133687e3a735e14e5452b7dc7b486d53681be4816d9d799fbbec1

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

              Filesize

              1.9MB

              MD5

              753fedbfd80e3bd9f447bf64cdf9c6ee

              SHA1

              e6de39862f6979ba2c806e4b1f3a90ec2f7f17ad

              SHA256

              d271daf9c149ca6d84f67b21ce1ff7a03ab668842cd5503efa01ccf7af333751

              SHA512

              87216e0a72731894d5aaa591d05e676388d927472a6acbed9ccf1e46bdae148ecd86858888bb73d5bd8e05c180e6c6df358efbf69da731a7e75fb4dba48683ce

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

              Filesize

              24.0MB

              MD5

              a407e921b1a4862218b5d29ad22c8a94

              SHA1

              2f6de5cbc7d26c7d0abfbea294f08543b8775d47

              SHA256

              c67f2b068186ce06ab1a8ce4d62beae8edb993bc05454aa8b832beb0c8bc4146

              SHA512

              2dbb5fbd9a909ac800ca4e9213692345b35cbf9b06c42697825e7bc374819890b0e32b8ccb7033620597423f24f8ad76cdc2789f1d2f82b14bfb2b1514350f67

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

              Filesize

              2.7MB

              MD5

              8ac9b69afe0011b3586488c66969ff3a

              SHA1

              992f17735a05c821c714b9402a95ce646d234bc8

              SHA256

              fad655e17803c2d3fbd3aa25fcbe210b98b0652127ffe829ac4a9f0faa957aa7

              SHA512

              b4ee211c8db84874e150513439421e54b1302d03343be3fcef8e83bbab11e306b810a9096cf4b242dfc1f60d630dce53ba706a0cc2ca553d3622b96ead6d3e52

            • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

              Filesize

              1.1MB

              MD5

              30b0563194fe645d4fb384d0868b5fbd

              SHA1

              497dc7b13f2b10bebc18279a4ca3ddad1d494835

              SHA256

              9884515edaa0f7e021bb44619230d6d49d893466747c6345c508e1c99263b0d2

              SHA512

              7f4cf1663b874acb71429eecc6909eff5edf7d9047177cff613fa2def4dac32a613f0f7523d908cae7c476a8dab03cc34f661e3d4c9ca38852f801dbbdd1af1d

            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

              Filesize

              896KB

              MD5

              020be5d3a1281a354d9e9ea506d3d13e

              SHA1

              6cb57f045067598dc21eb46972657eefc57593b2

              SHA256

              2c5a2bab2b0c06de901c4af40958480e535691898930a3d7787da697c72b185b

              SHA512

              372222cc7407b540b0efd0333aeb7083cf614e614da1bfa8e9540cf7e4c1f0c41652cf9a654cbf430583e43c79f8c114557affccaabaec4b48943a506a786795

            • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

              Filesize

              1.6MB

              MD5

              2ace8e7da96abca4f41735c43775ad75

              SHA1

              cb6c142d35b5674ecc69b51b6a296526498afc7e

              SHA256

              39640f9ccbe458dd2e25b6c35e784bbb4e51f32728ebfba943ad74e39dca04c2

              SHA512

              6ad75eba2761fe3a014fddff920f322f1ac6ffc9b76602a71efe1058057db9556a6102e53d724aaa47f2f92b98fa6995036bde69bb2d7326e65e0b1e78bc52fd

            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

              Filesize

              2.1MB

              MD5

              7274c5229170355e56e349a0a86a562b

              SHA1

              a5ef89117fa719b696238966787dad7a7d87ce88

              SHA256

              a3ae50b654c082a92e227d79a8904f3bbfb56f2bbe8cab864ec8d8001f95025d

              SHA512

              2b0d366577a900cc54986aca19c13fc1dae0b555cad7fe0fb2e3b6da037ff53ca5522338528e97665776a19cfc6eec67b527b881abec86a7a2c3d954edce0384

            • C:\Program Files\Windows Media Player\wmpnetwk.exe

              Filesize

              1.5MB

              MD5

              1f0d8c7dd074241baac7dc6c8ac5914e

              SHA1

              3dabcaaec60d93b4b74629382702842d51705943

              SHA256

              014098ed86f0b916507213595ce79c9cb96897debfe7252c6c91edb3091c9add

              SHA512

              d719b841bcff249eaec1f1db9c40600064d513d340ae468317ad71f3211b1097edda5cf63d28779da1f966974660d6a3bbd19d01cae024c131f2f4f158fc0284

            • C:\Program Files\dotnet\dotnet.exe

              Filesize

              1.7MB

              MD5

              9a0cdf07971dbfea9d52d0dd82c7a8f9

              SHA1

              78f4dbeb8153fdb198cec9034155445b11448450

              SHA256

              6a9b38da7e8256a62d566d0a3e5daf758b5965c666e2d492246dc8c8f12c4956

              SHA512

              b2e7c7fa00ddc15f9ba9a2204fc890ec176f398d706e2cfba1dbd4753522edad4377b870904bc371c53790ac8e4888628c4c9a1be794cae211b9d6f00888413a

            • C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log

              Filesize

              1KB

              MD5

              41302b5266f8db87b3c65e7936334c06

              SHA1

              383e25b8c1727bf9ea8919166f38697f293d0481

              SHA256

              093a880b06d48ad7218e4f82edfbfabc3b48cefab99201f47f8e3b8560784f64

              SHA512

              4d8a790a847a0e0267223597a2f97bf35fbf38351588632776891599bf459017e91431f3557ec6151e9a07f9e5e228c54b0383458c609d31572177ee9ea9a44c

            • C:\Users\Admin\AppData\Local\Temp\edls_64.dll

              Filesize

              446KB

              MD5

              e9a7c44d7bda10b5b7a132d46fcdaf35

              SHA1

              5217179f094c45ba660777cfa25c7eb00b5c8202

              SHA256

              35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

              SHA512

              e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

            • C:\Users\Admin\AppData\Local\Temp\em000_64.dll

              Filesize

              36KB

              MD5

              d0cf72186dbaea05c5a5bf6594225fc3

              SHA1

              0e69efd78dc1124122dd8b752be92cb1cbc067a1

              SHA256

              225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

              SHA512

              8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

            • C:\Users\Admin\AppData\Local\Temp\em001_64.dll

              Filesize

              378KB

              MD5

              7adcb76ec34d774d1435b477e8625c47

              SHA1

              ec4ba0ad028c45489608c6822f3cabb683a07064

              SHA256

              a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

              SHA512

              c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

            • C:\Users\Admin\AppData\Local\Temp\em002_64.dll

              Filesize

              640KB

              MD5

              4247fa3a043c750081a0da8def8a7d38

              SHA1

              3ef146ccc895ae3a7f574adf8598016d0a0d0016

              SHA256

              119c572828255ab2f8f637265d92f017899163c7f474f4e12e865f996d427f48

              SHA512

              7460760c3b54d3e711f67087558c75c51a2f998da722e518c02c78bd08a06e963cf708d7088ea29538150d7e55e072468a613fb7c694e4d90fe9c8a3e89d3efb

            • C:\Users\Admin\AppData\Local\Temp\em003_64.dll

              Filesize

              640KB

              MD5

              51d9b24494cef634dfe2dd5f82fa4a65

              SHA1

              983b98dc406481d8dba97301950db0582ba25831

              SHA256

              67b07ae624a41f9a8e7471ce058d5cf8ce449f743abfb491f9576e472fc17db6

              SHA512

              7f3acc9350ee31a48f82636b29a0fcd09e8716eaa3e72bd0dc91a82eca30b2c91ed24c2f61cd374bcd96eb90eb7d9158620a7bc291c373ddcd86aa9df80cd937

            • C:\Users\Admin\AppData\Local\Temp\em004_64.dll

              Filesize

              576KB

              MD5

              a36d3123ccc058c13e18cea6b5e3872b

              SHA1

              af007822a98429c6ca24035937911db21c5a9a00

              SHA256

              3bd755beb8bf6ae76fa28cfe69996ad2d324f55f875e18dd6a62e411abe9b1cb

              SHA512

              942e8b188629a5886b43ab19b821a63bf6635bd62eab3c62398737ddebf79b4a5861d4fc21b26def984e966c7666985316d33281c7b2b19d6c25a85e6ab8f16e

            • C:\Users\Admin\AppData\Local\Temp\em005_64.dll

              Filesize

              384KB

              MD5

              cc4fa910844136ea666e9fc52b49f42b

              SHA1

              2f4fd086b5ce80841fa4d4ffc02d03ff68af60c7

              SHA256

              8e00d043688b192db7c5f7e953fce551f1dd193a60c6c25250cb2fb381bde790

              SHA512

              8298d977dd8fa1a9a12965480a38d9afbf94f3f1f142e05e8ee20ff393f2ce36f83cc00ab37925f911783aaa058e960e0c8b1098d5416bb326f09f70c3fd2d27

            • C:\Users\Admin\AppData\Roaming\dc9923a9ea8238e9.bin

              Filesize

              12KB

              MD5

              6d7e5555a5e8235a6f58e1c15dc075bd

              SHA1

              8282925744e0603803bfc640284d01dd8d3548f5

              SHA256

              0b46fcb2bd8a1fbcfa05d52b032d5bcdbedeae0653d9f48a1d0a4c1bab55f70e

              SHA512

              1d68ce0234da72dd99d3e13745afcff40d716053e010641028815f6d37371a41275685463abb6f3f520f12bd8350f8926d0ab90a3ece2be28113b70ac30ed05a

            • C:\Windows\SysWOW64\perfhost.exe

              Filesize

              1.6MB

              MD5

              b7230e5983b8c39291892f60157e110f

              SHA1

              acb148c13cbeb1229766892936e4a49723b0c7e0

              SHA256

              fef1bef5ac2c1f7d3c27758f116c7144d0409ed6e2da38ea852ba97845efa856

              SHA512

              0825bb6eaffb986a26b66f1dc443b2966a37c12f2fc092d61068fa9d997ce7a899c0bfa9406c8f1a4f4369b59b3aee0a5b8d6ce527795894e16fe06837373fd0

            • C:\Windows\System32\AgentService.exe

              Filesize

              1.7MB

              MD5

              7a5a29c60e27bd29dbcf45d329312f71

              SHA1

              9c3e9e4a69c284167b7e5c40de9416f7f753b96e

              SHA256

              f65573ad5cd2ad4d21569c03d342fca7f359c8c553626bd8a486befa1a7422d2

              SHA512

              6fc1a14a9f3770a3c761ee965f4adf4a04b9cc2bf46252774101e163237716ccf2b5d229677e4fafc09f191a0375473066d2608539395f7b188c9f79d345c98c

            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

              Filesize

              1.6MB

              MD5

              7b368fd4b2d12effd123619579b15d7b

              SHA1

              054b9a123c6f3afd16b9e1b36917cab44c7a4089

              SHA256

              cdd106c95d48593996e083ea81ca4dd35ba458600771319347b4e804c0c31f3a

              SHA512

              4e73967caed43ce313c79a6a5fe8540ec654d185fc8d712d1e121473c5a91ec210dac54c57a802963c587f5571231e423712fbb8f711fa629776698f6747467e

            • C:\Windows\System32\FXSSVC.exe

              Filesize

              1.2MB

              MD5

              e5506ad9ea134cc804b012ecf4545643

              SHA1

              cbb0297fbb5dd486c86d523783703cb79595a86e

              SHA256

              e8b8faebc135aa0998e46023e1ee642c892e55e7e41e8003c405eeb7ed5cff69

              SHA512

              c21035034c778adba368cbb87a8a8502abaee0f7900fd61f63f3bae2768310a5d527e0c31b5e5b8316db8145ee258d530975a42d90133daf56a41cb2cb91e87d

            • C:\Windows\System32\Locator.exe

              Filesize

              1.5MB

              MD5

              64078d4dbb565e2d928c88444548fa33

              SHA1

              766cdbc44d331bd0c1e3fe57e76c7e679d35f023

              SHA256

              2aa0c15cf766c3cbe00742c9bb9a123684a3de1c5eeff17216dd66c717d4d767

              SHA512

              9f9850d6c0006d3764b5bb92b828320b910b0cb1660102e84bc9a94b097dff95835467e42f9b259521cb8ed185e13e6e0a066781a7db69df77dfed7791094ed2

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.9MB

              MD5

              80026466cca4c41583a29e061b4ec47f

              SHA1

              2bfa8840f2bc96be876032528fa0a05c360f2a83

              SHA256

              32d6915e88d1900190baf5c1006b2634766a9d1857a8eec09497ecb0ac6985e3

              SHA512

              f4d0e50a1329be17dad2219da1377b1c2296c231733550fa0317d9c2481b1f802ed1a6cc776a00f57c8f845ff59815f00991ddb8505d6fae3d732311b8d7bc5f

            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

              Filesize

              1.6MB

              MD5

              041733bab23625b25f00f6667fc58ac6

              SHA1

              6a3046aa9dbf5404eddef13fd5977f818c656e8f

              SHA256

              adf6f14f9b2123f066e84657366b495ab381db225cd3fc2e3d900b8c318e042f

              SHA512

              15f72aec203f88059b4c8f70fb23586e4182618c134d138e36881209e61f710b49dd1c64860a25e4b522bcdd4f32f89c5b8cbce756a3d1980b5d19aff19a2a11

            • C:\Windows\System32\SearchIndexer.exe

              Filesize

              1.3MB

              MD5

              a7cf8ddef5f2d6f5d03ea8c7b5ad0ece

              SHA1

              99ec52bc38589b25981dd23ef03ba76084989b19

              SHA256

              7f7e7393635b39b06a674b31ca814107ee21634c63a5857e9118d617e9eb5805

              SHA512

              fbe53a2639ee0ee6a6f06f542d686f5c7d3390731dc24e5b799a45b68a26150f9fbbd2e39f5f04c61e4f43195beae377b824901106ff8e3b776a47462b6199cd

            • C:\Windows\System32\SensorDataService.exe

              Filesize

              1.8MB

              MD5

              191bf0a786b767bb44a5b660675c12ff

              SHA1

              5012b2aee2755b735c453ea166d410af9da9652c

              SHA256

              4c3ad3e8301dabf32f3225a52eef24f3bd06c0ae86af12c75828fc9c43c2b513

              SHA512

              0e6763ed7604862d5eb5e1c95b7d3a97082cc4ca5059f3d80abbde9a32cff7c114b23fa8f84179add626c486b7c494caafd249ca74a06aec2561fe3b2c8005d1

            • C:\Windows\System32\Spectrum.exe

              Filesize

              1024KB

              MD5

              9294563d1e4c90684e5cd0401fe22888

              SHA1

              b1be16df25952aea76fa225a7547229729230340

              SHA256

              dcb5013bb24bd16e18afab7f10a9e8c6abfa7fafa50ad85b5a279a58a566e964

              SHA512

              d37f02e343921d8f712761349e9a289aad36541b645dc29cb8f5fd93d04d57e240865cf54df731f96e4f100bfb39c742330495aaaae5854b828406f5e2a1729d

            • C:\Windows\System32\TieringEngineService.exe

              Filesize

              1.8MB

              MD5

              cdbe3263d4674404279222248cd24318

              SHA1

              94b1e918881a0085b85456fca86a5b074291cf8d

              SHA256

              e6a388b46598778fed4c77785b7dee922f12fb692ce9dc491daa7033fb42ff0a

              SHA512

              6ba92925bd180eeb620be0464ed3b411ad9939ed4a346d1a12aa177b2981537e6183ab2ade7ca29120c843045ed28acc1fdd27fcb41646f2819e983c1289d065

            • C:\Windows\System32\VSSVC.exe

              Filesize

              2.0MB

              MD5

              1a40caa92f90933a30d8e9ddac057025

              SHA1

              6214d47a2fa76a15edc643feb9c5c4406f5ab512

              SHA256

              a0712a26c727b52bc2ee6bb8b465a8c1c29a7c186b8e36688298cc0bbaada9cc

              SHA512

              660b77450c0268b120253bad31970234cf69028ada6cea7e45b72e924c64faf5aee827b3994bcbe811bfd576bc881e0457827520695ba8f15349ac9bfd5fc76f

            • C:\Windows\System32\alg.exe

              Filesize

              1.6MB

              MD5

              454a77574613db46015cc79f50668a69

              SHA1

              cc8a7a52a5f74d46dee30d69f44fea64067a9fe1

              SHA256

              ee06b99a2a675733b26c633d71369f7efb2e3a1bd70ec89c392c41b507f4a897

              SHA512

              508c2fcc77c24146271beb42c7ebb99082d680d1742fdaa12343573c5b48aab6f8b2ca83f919c41beaa3e2fb322c1a9f7727f9aebecd7315fe83978e60f15adb

            • C:\Windows\System32\msdtc.exe

              Filesize

              1.7MB

              MD5

              2baf96af9fa90ba82e3df0758a172267

              SHA1

              dcdf758265ab3fdb17bc81bc70a7875bd09f5b11

              SHA256

              4b2bb5819859ac106d6c09a5bd31581696127135652d5d5aeffafc51502b5b76

              SHA512

              c434c764d2ca1982f2f5401188c3e7d850363e5b7cbc2f5a76717490dad80ef9eef305689f14905419e54eefe1174a7367f9c50d7d2e03100d0cf006ecdbcd4d

            • C:\Windows\System32\msiexec.exe

              Filesize

              1.1MB

              MD5

              93dad8a22eb58c491452c3e23844141a

              SHA1

              c8be51249ffc606b1632f52119d08a14ae8755db

              SHA256

              94a2f723b5899a5218b7c850ae8adc78ede4a1c1d99dd22d0fc1f841ddef20ef

              SHA512

              b21ba5dfe7c7a0ee522803c008274dfca8f6592523cd1d7ad8d744c791fc633d9d91caadd30b5add163b1d36302da670b38cd1c48dd05a1858012dcf4819750a

            • C:\Windows\System32\snmptrap.exe

              Filesize

              1.5MB

              MD5

              1ad4cb4dbed8b44efcd856844d709fbf

              SHA1

              29b447c4af34932f0f58240457c3a21bbbef6705

              SHA256

              309a0998b7cef781776cad7fe30d631f5a4050076a052b734e2e16b5dcb7f988

              SHA512

              a082b74aad958cd355da15104d4cefbd0d9ce623421a2956d4fdd339df5ae2185198fb43a92d9418183585ce3bb6e9bdc6f5917eedda794658359298ca16b61f

            • C:\Windows\System32\vds.exe

              Filesize

              1.3MB

              MD5

              97166ea62662f0eac642182c7ae9b5d1

              SHA1

              5a0435440ab8b735814137093ac1dd833cf01c30

              SHA256

              c5dcc186d3d4efc80f6430bab017cb84eba347fa0d4ad1c80359d1eae5e85f30

              SHA512

              aee97cfe4c4654ac336b6f565eb38581c7eefb841a2665320f560a691b104e2ab0e6fdc6f26847d84e1dfd182f94cd66bd952cbb690e7b4c3fa069e3e6a2a1c6

            • C:\Windows\System32\wbem\WmiApSrv.exe

              Filesize

              1.7MB

              MD5

              9eea4ca10e1cb6027b0e9e331e3b5acb

              SHA1

              70bcc3f52c8e850cf9fe114fa52f4f88623fde12

              SHA256

              b471cd620461fd675f5d334c8a231f17eb31a7abf6ecb0ebab5015636a4c00ff

              SHA512

              74d63c6f118d1f5f4226d84edfaf154866927c367d00d1b09d01eb8ea06b3da355d13306e04574d00b4bf5065b0e324978c9001bef81f2851ab1e22cf722eca2

            • C:\Windows\System32\wbengine.exe

              Filesize

              2.1MB

              MD5

              8e81a30c10cc18e21a8f50d0dbbc49ce

              SHA1

              a452234c850ce34e131260566daf63987701142f

              SHA256

              d0a4e2924e42bd9c526bc01d5273a40ea3b42909f70b9c016b337382cfe854fc

              SHA512

              6929eb7ee9b61c96e77578c8cf5610872b11250eabe59fc1d77217da3a5a5630cc81ebdb98ed6085da5f800f980ea486014ad9c63812ba293cad5c409516364f

            • C:\Windows\system32\AppVClient.exe

              Filesize

              1.3MB

              MD5

              7ee23d12f56fbcbadbe12fbc1ae09b6f

              SHA1

              3f0b1b93919b507e997c6f276fe482e1286d8bb7

              SHA256

              2871444aaa721fc9b19f66f10991f577c5ccfb186d36563e53d95daf87edbd8f

              SHA512

              c90aad31387f88b70dab65155b7e2b721622b55fa565dcdb0338f420d8a5416c177e2c5513a27f0797edf85c6acbaf289771a54b731e1bca6c624ac29769582a

            • C:\Windows\system32\SgrmBroker.exe

              Filesize

              1.8MB

              MD5

              b19ac2435d6b7182250dcfdb5d05a94b

              SHA1

              84377fb2e0b1b1e40893c2b649f1410a78e40b7f

              SHA256

              c46358098ae57629ffa77c2a839216a6b7654d1fe19c182fb0050e02b18a2d2c

              SHA512

              13f1535aed41d4286c9de7d1a2b7c72ff7821135688cb015609a1a3b448cc31d315cc88db3d046190e0eaf21cbdbf6fa6a1b938d8965a072afefad6d36f27991

            • C:\Windows\system32\msiexec.exe

              Filesize

              1.6MB

              MD5

              841a14c755d80d2e1052f24a7135f539

              SHA1

              35ae16cf2f427e946f6fee3eca999c28c91a96c6

              SHA256

              a282218055d0726b5792b0269fc2392b546a07a797b7d498b2f48bc3d917f0cf

              SHA512

              acd228d8bc3d67464686ad6fcaa37f86f15234094f6302e22e9af7a9215292bcaa879b0452aa90387ae7ea72e3decd5179c3f988360847729ca262ac437af643

            • C:\odt\office2016setup.exe

              Filesize

              5.6MB

              MD5

              05e542f328f9c217a7acc273a617cb0d

              SHA1

              6265bae06599d2b7a3b7691a43217951b446788d

              SHA256

              dd41b82cd0e98980f38563e942a808f3d64739dc7f0adc2f859c95807514e65a

              SHA512

              eef947956e4f9b49aa1891cc3379857d48b5a73a565ebe20579fcc55911869b3500fa1fd7ab2688e4c398de0d78cc5dc72ee6818c264f06936b81613ae749082

            • \??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

              Filesize

              40B

              MD5

              915e8146d9bff8f9dd24be8c5e953016

              SHA1

              207809729a309f5544e72af13dcd2cdf794b893a

              SHA256

              589ddb46fca20d957423652416f29d82442a9fb2de509324d851912f0ea5ae04

              SHA512

              34ac91de5663795a6c8d8b1ee0c4b963618deb76a23ed173a4ca8b9b3e75222d386c9e68c3fc88a4a3d7e5f2582d8196da2b15c1b1a5e3258a2b392f0ae45305

            • \??\c:\users\admin\appdata\local\temp\em001_64.dll

              Filesize

              320KB

              MD5

              26d00a73905f9fa8d26d4f17edc58b98

              SHA1

              70c2575e4dbd02f243a876bf055842438e29eec7

              SHA256

              869abe21a6548d77c34341e714ffa61100daf604ccf68b6338f4e7a46507bacb

              SHA512

              bc2e3ef3a8fd813ff658a0f0e59d2cd48208fd4fbc5bb8b091ec2cd02a7cf09277a8db6f2fd81ca4af076083e3f988079d46c5447a6f626f6352355ef5fe6301

            • \??\c:\users\admin\appdata\local\temp\em002_64.dll

              Filesize

              256KB

              MD5

              ef7ff96529345f7f477782bdcdac4d1f

              SHA1

              1e39fbff96f10a2d1a48739c5adba7ac62f7e8fa

              SHA256

              9051ccee3791ec424beaffde5728094fd72c22666912f34ab63ab3ab6557216c

              SHA512

              f6906ec8d4d6cf58046563b63988c4d77b12dcfaf596955139f5dcdb7199bf26a7045bc9ad41bbdad781b2032b61c6d14b712378be783c1146b19c5da592411d

            • \??\c:\users\admin\appdata\local\temp\em003_64.dll

              Filesize

              320KB

              MD5

              c403bea3068bf1407fa0b8e2ab181098

              SHA1

              fc3917ca84ac4bcacf7c3823214730b6816128ea

              SHA256

              5fdc86da6d9b17d12c8fa3e3198bdbd636795d7092d9e74f95852bfba491bd78

              SHA512

              9d0742b1c6e38b8d3d94d434f697f515f23a58dcc4fd14488138f1344ed378b305fe242467ed8c1b4ea971fccff5641258a238ebb590680b67997c65454d03bd

            • \??\c:\users\admin\appdata\local\temp\em004_64.dll

              Filesize

              256KB

              MD5

              726d4439d2ad0b91095df19ab265a30f

              SHA1

              bf5c8a1de7a941db30eb75d89e724e307c0b36b8

              SHA256

              6f766a8ba7084f1fa435dd055c23da00af060d6f1f35d29e4607f839e868e1b9

              SHA512

              e3669aa8daac48a4f12d3a9a66959e5ac5423f4cbb7bc943f75aa24561c9a8e78a5ba42c15551e5f38b8d7479ab8047ce85249e484ce0db5c4d6311b7ec1a36e

            • \??\c:\users\admin\appdata\local\temp\em005_64.dll

              Filesize

              291KB

              MD5

              51abea5120587a753d37eaa8a072fa50

              SHA1

              1a70878392d3cce6cf4da3710c29de96375d7f7b

              SHA256

              40b7562db4a5d547b5637d19b03855c37dc93ba94f09156a43bf2181f5d57a7a

              SHA512

              4ed1a145b530d35047d57f053beaebb1b87633004c9a4ca47a25bb651275b68b61b40ec70742e23ef81c1ef25f0738686b113af9ab6982a29aa0046fe33956c3

            • memory/512-241-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/512-192-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/512-422-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/652-230-0x0000000000400000-0x000000000068A000-memory.dmp

              Filesize

              2.5MB

            • memory/652-185-0x0000000000710000-0x0000000000776000-memory.dmp

              Filesize

              408KB

            • memory/652-177-0x0000000000400000-0x000000000068A000-memory.dmp

              Filesize

              2.5MB

            • memory/984-100-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/984-97-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/1060-215-0x0000000140000000-0x00000001402F5000-memory.dmp

              Filesize

              3.0MB

            • memory/1060-225-0x0000000000510000-0x0000000000570000-memory.dmp

              Filesize

              384KB

            • memory/1060-390-0x0000000140000000-0x00000001402F5000-memory.dmp

              Filesize

              3.0MB

            • memory/1424-197-0x0000000140000000-0x0000000140289000-memory.dmp

              Filesize

              2.5MB

            • memory/1464-235-0x0000000140000000-0x0000000140147000-memory.dmp

              Filesize

              1.3MB

            • memory/1704-210-0x0000000000560000-0x00000000005C0000-memory.dmp

              Filesize

              384KB

            • memory/1704-200-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/1704-249-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/1708-245-0x0000000140000000-0x00000001402B9000-memory.dmp

              Filesize

              2.7MB

            • memory/1708-454-0x0000000140000000-0x00000001402B9000-memory.dmp

              Filesize

              2.7MB

            • memory/1716-459-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/1716-250-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/1748-33-0x00000000004C0000-0x0000000000520000-memory.dmp

              Filesize

              384KB

            • memory/1748-25-0x00000000004C0000-0x0000000000520000-memory.dmp

              Filesize

              384KB

            • memory/1748-26-0x0000000140000000-0x000000014029C000-memory.dmp

              Filesize

              2.6MB

            • memory/1748-124-0x0000000140000000-0x000000014029C000-memory.dmp

              Filesize

              2.6MB

            • memory/1748-34-0x00000000004C0000-0x0000000000520000-memory.dmp

              Filesize

              384KB

            • memory/2124-227-0x0000000140000000-0x00000001402D5000-memory.dmp

              Filesize

              2.8MB

            • memory/2176-114-0x00000000001A0000-0x0000000000200000-memory.dmp

              Filesize

              384KB

            • memory/2176-116-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/2176-121-0x00000000001A0000-0x0000000000200000-memory.dmp

              Filesize

              384KB

            • memory/2176-183-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/2224-88-0x0000024091700000-0x0000024091760000-memory.dmp

              Filesize

              384KB

            • memory/2224-154-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/2224-96-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/2224-87-0x0000024091700000-0x0000024091760000-memory.dmp

              Filesize

              384KB

            • memory/2548-453-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/2548-242-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/3252-0-0x0000000002000000-0x0000000002060000-memory.dmp

              Filesize

              384KB

            • memory/3252-7-0x0000000002000000-0x0000000002060000-memory.dmp

              Filesize

              384KB

            • memory/3252-102-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/3252-8-0x0000000002000000-0x0000000002060000-memory.dmp

              Filesize

              384KB

            • memory/3252-2-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/3288-223-0x0000000140000000-0x000000014029E000-memory.dmp

              Filesize

              2.6MB

            • memory/3288-167-0x0000000140000000-0x000000014029E000-memory.dmp

              Filesize

              2.6MB

            • memory/3288-174-0x0000000000C40000-0x0000000000CA0000-memory.dmp

              Filesize

              384KB

            • memory/3500-232-0x0000000140000000-0x00000001401C0000-memory.dmp

              Filesize

              1.8MB

            • memory/3500-231-0x0000000140000000-0x00000001401C0000-memory.dmp

              Filesize

              1.8MB

            • memory/3768-150-0x00000000007C0000-0x0000000000820000-memory.dmp

              Filesize

              384KB

            • memory/3768-209-0x0000000140000000-0x00000001402C2000-memory.dmp

              Filesize

              2.8MB

            • memory/3768-160-0x00000000007C0000-0x0000000000820000-memory.dmp

              Filesize

              384KB

            • memory/3768-156-0x0000000140000000-0x00000001402C2000-memory.dmp

              Filesize

              2.8MB

            • memory/3892-460-0x00000197D8640000-0x00000197D8680000-memory.dmp

              Filesize

              256KB

            • memory/3892-455-0x00000197D8660000-0x00000197D86A0000-memory.dmp

              Filesize

              256KB

            • memory/3892-42-0x00007FF867360000-0x00007FF867361000-memory.dmp

              Filesize

              4KB

            • memory/3892-447-0x00000197D8660000-0x00000197D86A0000-memory.dmp

              Filesize

              256KB

            • memory/3892-448-0x00000197D86A0000-0x00000197D86E0000-memory.dmp

              Filesize

              256KB

            • memory/3892-44-0x00000197D7990000-0x00000197D79F0000-memory.dmp

              Filesize

              384KB

            • memory/3892-450-0x00000197D86E0000-0x00000197D8720000-memory.dmp

              Filesize

              256KB

            • memory/3892-46-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/3892-41-0x00007FF867C30000-0x00007FF867C31000-memory.dmp

              Filesize

              4KB

            • memory/3892-43-0x00000197D7990000-0x00000197D79F0000-memory.dmp

              Filesize

              384KB

            • memory/3892-152-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/3892-461-0x00000197D8680000-0x00000197D86C0000-memory.dmp

              Filesize

              256KB

            • memory/3892-462-0x00000197D86C0000-0x00000197D8700000-memory.dmp

              Filesize

              256KB

            • memory/4092-199-0x0000000140000000-0x00000001402AC000-memory.dmp

              Filesize

              2.7MB

            • memory/4092-143-0x0000000140000000-0x00000001402AC000-memory.dmp

              Filesize

              2.7MB

            • memory/4128-113-0x0000000140000000-0x000000014029D000-memory.dmp

              Filesize

              2.6MB

            • memory/4128-13-0x0000000140000000-0x000000014029D000-memory.dmp

              Filesize

              2.6MB

            • memory/4216-138-0x0000000002290000-0x00000000022F0000-memory.dmp

              Filesize

              384KB

            • memory/4216-127-0x0000000140000000-0x00000001402BD000-memory.dmp

              Filesize

              2.7MB

            • memory/4216-140-0x0000000140000000-0x00000001402BD000-memory.dmp

              Filesize

              2.7MB

            • memory/4216-134-0x0000000002290000-0x00000000022F0000-memory.dmp

              Filesize

              384KB

            • memory/4216-128-0x0000000002290000-0x00000000022F0000-memory.dmp

              Filesize

              384KB

            • memory/4344-101-0x00000000008E0000-0x0000000000940000-memory.dmp

              Filesize

              384KB

            • memory/4344-104-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/4344-109-0x00000000008E0000-0x0000000000940000-memory.dmp

              Filesize

              384KB

            • memory/4344-172-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/4360-24-0x0000000000440000-0x00000000004A0000-memory.dmp

              Filesize

              384KB

            • memory/4360-19-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/4360-16-0x0000000000440000-0x00000000004A0000-memory.dmp

              Filesize

              384KB

            • memory/4360-123-0x0000000140000000-0x0000000140E8C000-memory.dmp

              Filesize

              14.5MB

            • memory/4380-449-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/4380-238-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/4780-190-0x0000000140000000-0x0000000140288000-memory.dmp

              Filesize

              2.5MB