Analysis

  • max time kernel
    118s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 22:46

General

  • Target

    0b31dc8d9eeaa4a6803873a6c1380c72.exe

  • Size

    211KB

  • MD5

    0b31dc8d9eeaa4a6803873a6c1380c72

  • SHA1

    89a3961bb7b5e29ce53cfc9bb64daa216259a85e

  • SHA256

    7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e

  • SHA512

    7c00f36554dfb6b611227255da75b92bb2200ceadcf92f71fd280cad4c55ee64ed588338b4ed73b110cbf054ea4774c71abc2a66220a65549e04b642404fd26d

  • SSDEEP

    3072:gyJtJkIZYF/TgVdkyrp90TvT5A70CutWTFlEz/BVwNMtyMz7:gyDahrgVdjrpc5EJkQMz

Malware Config

Extracted

Family

smokeloader

Botnet

tfd5

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .lkhy

  • offline_id

    OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

  • DcRat 3 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect ZGRat V1 10 IoCs
  • Detected Djvu ransomware 10 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 15 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe
    "C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2172
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\486E.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:4720
    • C:\Users\Admin\AppData\Local\Temp\6C81.exe
      C:\Users\Admin\AppData\Local\Temp\6C81.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\6C81.exe
        C:\Users\Admin\AppData\Local\Temp\6C81.exe
        2⤵
        • DcRat
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\f649dd18-3502-4a56-afb9-9fb69a04cd97" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:3936
        • C:\Users\Admin\AppData\Local\Temp\6C81.exe
          "C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3512
          • C:\Users\Admin\AppData\Local\Temp\6C81.exe
            "C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:4728
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 568
              5⤵
              • Program crash
              PID:4028
    • C:\Users\Admin\AppData\Local\Temp\A4B9.exe
      C:\Users\Admin\AppData\Local\Temp\A4B9.exe
      1⤵
      • Executes dropped EXE
      PID:1608
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4D7.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
        2⤵
          PID:1892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 4728
        1⤵
          PID:4392
        • C:\Users\Admin\AppData\Local\Temp\C36E.exe
          C:\Users\Admin\AppData\Local\Temp\C36E.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4844
          • C:\Users\Admin\AppData\Local\Temp\C36E.exe
            "C:\Users\Admin\AppData\Local\Temp\C36E.exe"
            2⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
                PID:808
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                3⤵
                  PID:1988
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:3068
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  3⤵
                    PID:440
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    3⤵
                      PID:4188
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe
                      3⤵
                        PID:2404
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                            PID:2824
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                            4⤵
                            • DcRat
                            • Creates scheduled task(s)
                            PID:1272
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /delete /tn ScheduledUpdate /f
                            4⤵
                              PID:1408
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              4⤵
                                PID:1764
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -nologo -noprofile
                                4⤵
                                  PID:3184
                                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                  4⤵
                                    PID:3900
                            • C:\Users\Admin\AppData\Local\Temp\EA7F.exe
                              C:\Users\Admin\AppData\Local\Temp\EA7F.exe
                              1⤵
                              • Executes dropped EXE
                              PID:4696
                            • C:\Users\Admin\AppData\Local\Temp\FD0E.exe
                              C:\Users\Admin\AppData\Local\Temp\FD0E.exe
                              1⤵
                              • Executes dropped EXE
                              PID:1860
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                2⤵
                                  PID:2232
                              • C:\Users\Admin\AppData\Local\Temp\5BE9.exe
                                C:\Users\Admin\AppData\Local\Temp\5BE9.exe
                                1⤵
                                  PID:2844
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                    2⤵
                                      PID:3756
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 436
                                        3⤵
                                        • Program crash
                                        PID:4704
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 432
                                        3⤵
                                        • Program crash
                                        PID:4844
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                      2⤵
                                        PID:1860
                                    • C:\Users\Admin\AppData\Local\Temp\81B1.exe
                                      C:\Users\Admin\AppData\Local\Temp\81B1.exe
                                      1⤵
                                        PID:4048
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"
                                          2⤵
                                            PID:4216
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "
                                              3⤵
                                                PID:1548
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:4860
                                                • C:\containerProviderhost\runtimenetSvc.exe
                                                  "C:\containerProviderhost/runtimenetSvc.exe"
                                                  4⤵
                                                    PID:2288
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat"
                                                      5⤵
                                                        PID:4868
                                                        • C:\Windows\system32\chcp.com
                                                          chcp 65001
                                                          6⤵
                                                            PID:2808
                                                          • C:\Windows\system32\PING.EXE
                                                            ping -n 10 localhost
                                                            6⤵
                                                            • Runs ping.exe
                                                            PID:4896
                                                          • C:\Windows\RemotePackages\RemoteDesktops\System.exe
                                                            "C:\Windows\RemotePackages\RemoteDesktops\System.exe"
                                                            6⤵
                                                              PID:3840
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3756 -ip 3756
                                                    1⤵
                                                      PID:1224
                                                    • C:\Windows\SysWOW64\dialer.exe
                                                      "C:\Windows\system32\dialer.exe"
                                                      1⤵
                                                        PID:3792
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3756 -ip 3756
                                                        1⤵
                                                          PID:3228

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\486E.bat

                                                          Filesize

                                                          77B

                                                          MD5

                                                          55cc761bf3429324e5a0095cab002113

                                                          SHA1

                                                          2cc1ef4542a4e92d4158ab3978425d517fafd16d

                                                          SHA256

                                                          d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                                                          SHA512

                                                          33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                                                        • C:\Users\Admin\AppData\Local\Temp\5BE9.exe

                                                          Filesize

                                                          526KB

                                                          MD5

                                                          ce82ed5b937090512e881f7ed9351eaa

                                                          SHA1

                                                          dd3b34243673a2a96786677f0f4c517de1b3c055

                                                          SHA256

                                                          e97fce83b8cddecf3678a025dd38778e183278b43c77cea75aa82c2afa9e9821

                                                          SHA512

                                                          4b62e88f90020db839b1654dfbc734978f5820027198ab0fb363fbd4c108138725679a8b003ab529cda98ae67d6bfefd1b11a88ec291d5046ea59fca132e0806

                                                        • C:\Users\Admin\AppData\Local\Temp\5BE9.exe

                                                          Filesize

                                                          768KB

                                                          MD5

                                                          266f054b0cfcba0530a7231e8d09a99b

                                                          SHA1

                                                          3ed2c1300e2d85b1603e5a9052317589e6b7ed9b

                                                          SHA256

                                                          05fa4b3ed672782026fe190d6553cd99ef5b38ba37f70cf89d0de99ff6b50780

                                                          SHA512

                                                          4140284c6195ac45ea2dbf83a7c9b38fba043cff477875737b980fc187be6361f10ed8eb31a0000fc4f2c8732a843272a88d12468790f0806029b0d13b0b4bc8

                                                        • C:\Users\Admin\AppData\Local\Temp\6C81.exe

                                                          Filesize

                                                          742KB

                                                          MD5

                                                          3d196de47911047d26c003e31a878038

                                                          SHA1

                                                          c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9

                                                          SHA256

                                                          19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a

                                                          SHA512

                                                          30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b

                                                        • C:\Users\Admin\AppData\Local\Temp\81B1.exe

                                                          Filesize

                                                          3.7MB

                                                          MD5

                                                          20de31c5226fde5ddae74894f2e3f618

                                                          SHA1

                                                          03b514401eb1c179f4eec5211f646148de8b0426

                                                          SHA256

                                                          6d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a

                                                          SHA512

                                                          aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039

                                                        • C:\Users\Admin\AppData\Local\Temp\81B1.exe

                                                          Filesize

                                                          1.7MB

                                                          MD5

                                                          5650fcd780ba2a27c066848b3d7fadc3

                                                          SHA1

                                                          b9081e5dc28a5fa3df2234aab523501bb32991cb

                                                          SHA256

                                                          c21d644cfc73b7ddc4c19d0f5d7467d808391ff33fca7439c1606288eb63e40c

                                                          SHA512

                                                          8c382bf4c2ecc8341ea2720bf5128d8693963c2a812f9e3a69b9508b3392bad4277e69769bd4f06ebde675094ccf3d58209bbda312d9ecf8ee3620045a7d942c

                                                        • C:\Users\Admin\AppData\Local\Temp\A4B9.exe

                                                          Filesize

                                                          5.0MB

                                                          MD5

                                                          0904e849f8483792ef67991619ece915

                                                          SHA1

                                                          58d04535efa58effb3c5ed53a2462aa96d676b79

                                                          SHA256

                                                          fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef

                                                          SHA512

                                                          258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

                                                        • C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat

                                                          Filesize

                                                          179B

                                                          MD5

                                                          2dddd3e8023e3cd88c2d193a3183a114

                                                          SHA1

                                                          6ba940af96cd348f661292ba0fd8b88b1a49b232

                                                          SHA256

                                                          7df4d1702dbd09ea4b8d4ecd527a356a7420eab5c81e3604c97b49e2dd42b25f

                                                          SHA512

                                                          a8bcaebaba6a0df830b5ed8fcdb3ff2eba9096176f388150aa520501b50f9cf774fbf5e68fdc89079a3ee30c1caf49e7b6efc4c1e8250c63723941d6dbe262b8

                                                        • C:\Users\Admin\AppData\Local\Temp\C36E.exe

                                                          Filesize

                                                          4.1MB

                                                          MD5

                                                          c4cd2dabf6fe55752749ff664f9f9820

                                                          SHA1

                                                          b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9

                                                          SHA256

                                                          ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e

                                                          SHA512

                                                          a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936

                                                        • C:\Users\Admin\AppData\Local\Temp\C36E.exe

                                                          Filesize

                                                          1.4MB

                                                          MD5

                                                          9125f073ab9146a41c4372ffcb64106f

                                                          SHA1

                                                          a415c399fb870f3f11ec48dc9c86abd825476b16

                                                          SHA256

                                                          d225ab3011aa70ba2264b38adf0ef079242ddd2710d15a696d6ebe839e4354fc

                                                          SHA512

                                                          0e7e52ac1ec7e0b8c0d6d71da3db89c9c7ff877ae3ea4fb7eb86cff2ea15e51fc1d0c3de57b4f63c6991acf1d23a0c3f7e9f9ae36a7a08778694b98be5fa3cf7

                                                        • C:\Users\Admin\AppData\Local\Temp\C36E.exe

                                                          Filesize

                                                          128KB

                                                          MD5

                                                          8cb4a815b78ed4ca1b77b372fa83c06e

                                                          SHA1

                                                          7bb3ebdd39b936d38b24928b6392bb16f21d8310

                                                          SHA256

                                                          356c111824df7afe7d7044682a8daed75c92e45c76b5acb3530e3476bfc396d2

                                                          SHA512

                                                          1512da5df4124b522ca00df0c6ff789115279badb9778150b4e38f20d64db4697953d34beb36c7963570e7e8d2f89f8ccf7e3815761f9fd7dd89a2781bacfce3

                                                        • C:\Users\Admin\AppData\Local\Temp\EA7F.exe

                                                          Filesize

                                                          8.8MB

                                                          MD5

                                                          ca75882d8187ba628e746abd7eba3869

                                                          SHA1

                                                          29a83b3bf4f57fdc37281b74fe4d895064be7224

                                                          SHA256

                                                          5bf15eac50035138c6ab22024def2cd3181cc69e75d1919ab1205fc7c5db8508

                                                          SHA512

                                                          9559fd32fc8510bbf78a0e6e7c6c97e68797730e27140f184e1569b224b2bc09052b876378aa8cceb70533989de41502037f357f99955b2b7b86a749697afc94

                                                        • C:\Users\Admin\AppData\Local\Temp\EA7F.exe

                                                          Filesize

                                                          9.7MB

                                                          MD5

                                                          78e09df7be2bbd97e6c06db742267982

                                                          SHA1

                                                          49fcfa8c02283bc435cb07d74463232b34f3e615

                                                          SHA256

                                                          60eb4857811bc38ce6a3fab3da9893d1d799f9b4ac0f4ccc502c90ac681bdeff

                                                          SHA512

                                                          0498f68a72c1a93b2ae6514f99da3dda68b1530a7fe2fa7abc88b79096cb9b59265374df650cd2000af76b70294038fb70940954a260f78433463fd4f67ab676

                                                        • C:\Users\Admin\AppData\Local\Temp\FD0E.exe

                                                          Filesize

                                                          5.7MB

                                                          MD5

                                                          d6c5410b2d9e45c08deaabe2c3e09c65

                                                          SHA1

                                                          e7fd29cf3488283bb7b43a31f965b9849c2d55cf

                                                          SHA256

                                                          f9e3c1a6284370cd7b6f8cb5a54d4d5f639a6fe0eb6c9a293d350e6505a3df75

                                                          SHA512

                                                          3f4a0ba92a7509a2d84aac0fc4d2c8d80144ccc090c664276acb85db487585419f268bb3b27652cdb88010d72ef5bdf66bf56fbfbdf6f4b4a2b2569cb2c3f325

                                                        • C:\Users\Admin\AppData\Local\Temp\FD0E.exe

                                                          Filesize

                                                          2.6MB

                                                          MD5

                                                          b5d1b40a3a443d085075c18c856de15c

                                                          SHA1

                                                          0d767af1e83a5353ecaa7325e99d124992d53e1b

                                                          SHA256

                                                          a2e3e342dda47ee3b6c0eff3f6453d07a01f749285465564349f1649597e1aa3

                                                          SHA512

                                                          1629183cd69e6e192550638cca7aa85dec142ab8ce0454fe7bf61241acb0e20511de3c454d3e881eb2aed2440b71416d8a17741936153a8bfc31fffdaec26d88

                                                        • C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

                                                          Filesize

                                                          742KB

                                                          MD5

                                                          544cd51a596619b78e9b54b70088307d

                                                          SHA1

                                                          4769ddd2dbc1dc44b758964ed0bd231b85880b65

                                                          SHA256

                                                          dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

                                                          SHA512

                                                          f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxiceuap.omf.ps1

                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                          Filesize

                                                          281KB

                                                          MD5

                                                          d98e33b66343e7c96158444127a117f6

                                                          SHA1

                                                          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                          SHA256

                                                          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                          SHA512

                                                          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                        • C:\Windows\RemotePackages\RemoteDesktops\System.exe

                                                          Filesize

                                                          576KB

                                                          MD5

                                                          5fc19e08c5473ce9c2eb49ed1ba02e1a

                                                          SHA1

                                                          dcf8114269eb5a521ba640baf06539a8e3511424

                                                          SHA256

                                                          3375dd49e1e34fbb3f42300a52ebe4d880f8115dccc9ae1cd32d10c2f49266f3

                                                          SHA512

                                                          900099f77265346cd0e5eb5e5d8c0fb40684b84fe468ce454d65b3848977c0da9fe27ee3c5510627d2a622cd79d2a50070636f66f6efede2c4ab8beb64dc7039

                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          3d086a433708053f9bf9523e1d87a4e8

                                                          SHA1

                                                          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                          SHA256

                                                          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                          SHA512

                                                          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          a3dc24340d188645cdebe2fcd23ced08

                                                          SHA1

                                                          60180c423584d698277d835fd2df835316dbf7e9

                                                          SHA256

                                                          2a3ca623f4d4af100dd58839697ddf6dfb8e1b16e1cf569cda107f8f18ade2c2

                                                          SHA512

                                                          f71fc92735d3069e7c3aea9e01e194e6568dff53ea1102b928d7351c8b77b99013db599996e1717978bed9d232ffb1c9c015bf3fcba664dd06356eec16fa7928

                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          3ed124cfee56affc64e8878d0a23da44

                                                          SHA1

                                                          3002cbb094eb5b272e5485209f77cf51b51765c5

                                                          SHA256

                                                          ebeabff229be43b1f8fccf80defd3bdf57da185b7c1190bdc56bc0e712d671bd

                                                          SHA512

                                                          7ad7fb165c203139cd5c52156f0a5d04f027d1b3bd5a30a711702714c779115c5706303ceaccd1762a578280899dc068a77e242bd783529f4ef557b43247d29a

                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          e4fc6d3c5ab3f1926d8869c1349d6688

                                                          SHA1

                                                          8fc66b6aefee97078d72b604835d35f7626b2fe0

                                                          SHA256

                                                          24a514f06e30dd8a309260d37b720544861d02bda94cc68750800eb815581555

                                                          SHA512

                                                          d5c13cddb5acb8f2d538b60b637ec19ce1073622996eb565db633f6c207cb8dcdd1b92949e3a6138cf9b4e9fd5b6b0033227376319509cd043d14787b411f69a

                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          15abbd0c9a3a9fa9690e7e47407ec4e8

                                                          SHA1

                                                          d310de8efc4534aef1882943bb00a9824c34f021

                                                          SHA256

                                                          4ca1929ad79a800831ec1b8e697de3bbcc0671e453af16f07d90b2e5cbc4aaf0

                                                          SHA512

                                                          480cc787c18402c40463a5d7e34e64da6ffcc023aa149a71e9c2e7ad3f69fd7c1540f72c4ef2a3d693e82855482929f9a0137c9781f31354c43f1e00a520eaca

                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          7940462eaedbb9f344fce5d9127edd70

                                                          SHA1

                                                          02ec495cd2de1ae6f77b67239e6df9b46933c160

                                                          SHA256

                                                          32a14fc4e1a4a87b134c9130962736d9012587d1a9de1702ce2ad99ce4e1606d

                                                          SHA512

                                                          b0d705599d931ad7b48367236f37877b3071b39800b0722b237e2315728aedd8190bbc53c7d33157e8c0fc01fcc048009ff08439c113d3fd398f26abe598ef52

                                                        • C:\Windows\rss\csrss.exe

                                                          Filesize

                                                          3.8MB

                                                          MD5

                                                          e7fe0767c5f8b778d2bd973c9d8e20d8

                                                          SHA1

                                                          f4d7e20aee899e16c0297cea8090baf6e6c39722

                                                          SHA256

                                                          0e9708a70a95c25bd9a0c1caa29a3b473ed0a46a74ff030c61df3f98c813f1eb

                                                          SHA512

                                                          ef5acf3a465e5baa84c286763a4b00f8cd34acb35bdb34ff6be7d982516b2b8217d598a7190b7b0146f2041e69c9cc0b074a22fa006e22845bf6da81d7ad926f

                                                        • C:\Windows\rss\csrss.exe

                                                          Filesize

                                                          2.6MB

                                                          MD5

                                                          2ddc231c26e2e1d968768ac594736c50

                                                          SHA1

                                                          51591ff5c9fbca258f8fcc97433d7a78eb24f3ed

                                                          SHA256

                                                          c46f50f2c777c3b08e7424344c950c7e17cbfdd92129ac054e51d1f04b7284d8

                                                          SHA512

                                                          3d8a4a123690998b59ff354df399a92e3be53dfd9a39ede866ffa3abc51351fb45e9676f462d594096fd0b3add73194cb0b5904eb363625a49d5cb55065bd0e8

                                                        • C:\containerProviderhost\SSJnjC24t.bat

                                                          Filesize

                                                          180B

                                                          MD5

                                                          08387ad767f4e9e7c670d0eeafe302ef

                                                          SHA1

                                                          4ba6af1e421c43ee693b6537a06639c3f50a7abf

                                                          SHA256

                                                          2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672

                                                          SHA512

                                                          94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f

                                                        • C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe

                                                          Filesize

                                                          209B

                                                          MD5

                                                          49ca6dc4705e383d4162260db0d5bf84

                                                          SHA1

                                                          b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d

                                                          SHA256

                                                          6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4

                                                          SHA512

                                                          684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f

                                                        • C:\containerProviderhost\runtimenetSvc.exe

                                                          Filesize

                                                          3.4MB

                                                          MD5

                                                          92bf2463d72a410bf291db2bbb0176f5

                                                          SHA1

                                                          bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f

                                                          SHA256

                                                          92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808

                                                          SHA512

                                                          c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300

                                                        • memory/808-155-0x00000000728A0000-0x0000000073050000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/808-156-0x0000000005320000-0x0000000005330000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/808-157-0x0000000005320000-0x0000000005330000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/808-167-0x00000000060E0000-0x0000000006434000-memory.dmp

                                                          Filesize

                                                          3.3MB

                                                        • memory/808-172-0x0000000006C40000-0x0000000006C8C000-memory.dmp

                                                          Filesize

                                                          304KB

                                                        • memory/1160-38-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1160-55-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1160-23-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1160-25-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1160-26-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1160-27-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1608-43-0x0000000000AF0000-0x000000000139F000-memory.dmp

                                                          Filesize

                                                          8.7MB

                                                        • memory/1608-44-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1608-50-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1608-51-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1608-52-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1608-70-0x0000000000AF0000-0x000000000139F000-memory.dmp

                                                          Filesize

                                                          8.7MB

                                                        • memory/1608-45-0x0000000000AF0000-0x000000000139F000-memory.dmp

                                                          Filesize

                                                          8.7MB

                                                        • memory/1720-22-0x0000000003780000-0x000000000389B000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/1720-21-0x00000000036B0000-0x0000000003749000-memory.dmp

                                                          Filesize

                                                          612KB

                                                        • memory/1860-160-0x00000000728A0000-0x0000000073050000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/1860-88-0x0000000005B10000-0x0000000005BAC000-memory.dmp

                                                          Filesize

                                                          624KB

                                                        • memory/1860-86-0x0000000000B70000-0x000000000111A000-memory.dmp

                                                          Filesize

                                                          5.7MB

                                                        • memory/1860-87-0x00000000728A0000-0x0000000073050000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/1860-89-0x0000000005A60000-0x0000000005A70000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2172-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

                                                          Filesize

                                                          39.9MB

                                                        • memory/2172-8-0x0000000002E80000-0x0000000002E8B000-memory.dmp

                                                          Filesize

                                                          44KB

                                                        • memory/2172-1-0x0000000002F10000-0x0000000003010000-memory.dmp

                                                          Filesize

                                                          1024KB

                                                        • memory/2172-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

                                                          Filesize

                                                          39.9MB

                                                        • memory/2172-2-0x0000000002E80000-0x0000000002E8B000-memory.dmp

                                                          Filesize

                                                          44KB

                                                        • memory/2232-210-0x0000000000400000-0x0000000000449000-memory.dmp

                                                          Filesize

                                                          292KB

                                                        • memory/2232-207-0x0000000000400000-0x0000000000449000-memory.dmp

                                                          Filesize

                                                          292KB

                                                        • memory/2288-462-0x000000001BF50000-0x000000001BF9E000-memory.dmp

                                                          Filesize

                                                          312KB

                                                        • memory/2404-433-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/2404-518-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/2844-159-0x00000000728A0000-0x0000000073050000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/2844-158-0x00000000001E0000-0x0000000000832000-memory.dmp

                                                          Filesize

                                                          6.3MB

                                                        • memory/2844-161-0x0000000005160000-0x0000000005170000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/3080-149-0x0000000003A30000-0x0000000003E2E000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/3080-150-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/3080-298-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/3080-175-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/3080-230-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/3080-281-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/3356-4-0x0000000003290000-0x00000000032A6000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/3512-58-0x0000000003740000-0x00000000037E1000-memory.dmp

                                                          Filesize

                                                          644KB

                                                        • memory/3756-430-0x0000000004300000-0x0000000004700000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/3756-328-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/3756-334-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/3756-425-0x0000000004300000-0x0000000004700000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/3756-434-0x00007FFF357B0000-0x00007FFF359A5000-memory.dmp

                                                          Filesize

                                                          2.0MB

                                                        • memory/3756-436-0x00000000755D0000-0x00000000757E5000-memory.dmp

                                                          Filesize

                                                          2.1MB

                                                        • memory/3792-443-0x0000000000F50000-0x0000000000F59000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/3792-455-0x0000000002CD0000-0x00000000030D0000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/3792-456-0x00007FFF357B0000-0x00007FFF359A5000-memory.dmp

                                                          Filesize

                                                          2.0MB

                                                        • memory/3792-459-0x00000000755D0000-0x00000000757E5000-memory.dmp

                                                          Filesize

                                                          2.1MB

                                                        • memory/4300-148-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/4300-146-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/4300-112-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/4300-113-0x0000000003E40000-0x000000000472B000-memory.dmp

                                                          Filesize

                                                          8.9MB

                                                        • memory/4300-118-0x0000000003930000-0x0000000003D36000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/4300-73-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/4300-72-0x0000000003E40000-0x000000000472B000-memory.dmp

                                                          Filesize

                                                          8.9MB

                                                        • memory/4300-71-0x0000000003930000-0x0000000003D36000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/4300-173-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/4300-82-0x0000000000400000-0x0000000001E0D000-memory.dmp

                                                          Filesize

                                                          26.1MB

                                                        • memory/4696-174-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-90-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-471-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-326-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-203-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-266-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-541-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4696-147-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

                                                          Filesize

                                                          12.4MB

                                                        • memory/4728-61-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/4728-64-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/4728-62-0x0000000000400000-0x0000000000537000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/4844-91-0x00000000029A0000-0x00000000029D6000-memory.dmp

                                                          Filesize

                                                          216KB

                                                        • memory/4844-136-0x0000000007A20000-0x0000000007A31000-memory.dmp

                                                          Filesize

                                                          68KB

                                                        • memory/4844-94-0x0000000002990000-0x00000000029A0000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4844-111-0x0000000006870000-0x00000000068B4000-memory.dmp

                                                          Filesize

                                                          272KB

                                                        • memory/4844-95-0x0000000002990000-0x00000000029A0000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4844-116-0x0000000007D70000-0x00000000083EA000-memory.dmp

                                                          Filesize

                                                          6.5MB

                                                        • memory/4844-92-0x00000000054F0000-0x0000000005B18000-memory.dmp

                                                          Filesize

                                                          6.2MB

                                                        • memory/4844-117-0x0000000007710000-0x000000000772A000-memory.dmp

                                                          Filesize

                                                          104KB

                                                        • memory/4844-96-0x0000000005300000-0x0000000005322000-memory.dmp

                                                          Filesize

                                                          136KB

                                                        • memory/4844-143-0x00000000728A0000-0x0000000073050000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/4844-140-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/4844-97-0x0000000005C20000-0x0000000005C86000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/4844-139-0x0000000007B60000-0x0000000007B7A000-memory.dmp

                                                          Filesize

                                                          104KB

                                                        • memory/4844-138-0x0000000007A70000-0x0000000007A84000-memory.dmp

                                                          Filesize

                                                          80KB

                                                        • memory/4844-137-0x0000000007A60000-0x0000000007A6E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/4844-93-0x00000000728A0000-0x0000000073050000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/4844-98-0x0000000005C90000-0x0000000005CF6000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/4844-135-0x0000000007AC0000-0x0000000007B56000-memory.dmp

                                                          Filesize

                                                          600KB

                                                        • memory/4844-134-0x0000000007A00000-0x0000000007A0A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/4844-133-0x0000000007920000-0x00000000079C3000-memory.dmp

                                                          Filesize

                                                          652KB

                                                        • memory/4844-132-0x00000000078C0000-0x00000000078DE000-memory.dmp

                                                          Filesize

                                                          120KB

                                                        • memory/4844-122-0x000000006FF50000-0x00000000702A4000-memory.dmp

                                                          Filesize

                                                          3.3MB

                                                        • memory/4844-121-0x00000000742A0000-0x00000000742EC000-memory.dmp

                                                          Filesize

                                                          304KB

                                                        • memory/4844-115-0x0000000007670000-0x00000000076E6000-memory.dmp

                                                          Filesize

                                                          472KB

                                                        • memory/4844-108-0x0000000005E10000-0x0000000006164000-memory.dmp

                                                          Filesize

                                                          3.3MB

                                                        • memory/4844-109-0x0000000006340000-0x000000000635E000-memory.dmp

                                                          Filesize

                                                          120KB

                                                        • memory/4844-119-0x00000000078E0000-0x0000000007912000-memory.dmp

                                                          Filesize

                                                          200KB

                                                        • memory/4844-120-0x000000007FB10000-0x000000007FB20000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4844-114-0x0000000002990000-0x00000000029A0000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4844-110-0x0000000006380000-0x00000000063CC000-memory.dmp

                                                          Filesize

                                                          304KB