Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 05:44

General

  • Target

    eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe

  • Size

    163KB

  • MD5

    3f9534333f6ccc480bfeabed25adecd1

  • SHA1

    7b89fd831fc51fae94e0f0a65f4b25303074c406

  • SHA256

    eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b

  • SHA512

    22ede8f378c57498ecaa3fdbfce1393857721dbddec69047d729ea5629a68ee625ec0141650cd3d5c794477836c8e37c9922fd0904c686d05b2dd3ac4c4aaf8b

  • SSDEEP

    3072:aZ3vfdGdDEaLL3ZnWQ/Qr0A6AVJsbEaBkeL/2UIO8cLzhQr:aFlGdQaP9L9AHsAa6cb8cnhQ

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Socks5Systemz Payload 1 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 4 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 3 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 3 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 3 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 3 IoCs
  • Detects executables packed with VMProtect. 7 IoCs
  • Detects executables referencing many varying, potentially fake Windows User-Agents 3 IoCs
  • UPX dump on OEP (original entry point) 6 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe
    "C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1412
  • C:\Users\Admin\AppData\Local\Temp\9B75.exe
    C:\Users\Admin\AppData\Local\Temp\9B75.exe
    1⤵
    • Executes dropped EXE
    PID:456
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A28A.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\A28A.dll
      2⤵
      • Loads dropped DLL
      PID:2888
  • C:\Users\Admin\AppData\Local\Temp\A867.exe
    C:\Users\Admin\AppData\Local\Temp\A867.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Users\Admin\AppData\Local\Temp\A867.exe
      C:\Users\Admin\AppData\Local\Temp\A867.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      PID:516
  • C:\Users\Admin\AppData\Local\Temp\AB56.exe
    C:\Users\Admin\AppData\Local\Temp\AB56.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:4960
  • C:\Users\Admin\AppData\Local\Temp\B104.exe
    C:\Users\Admin\AppData\Local\Temp\B104.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp" /SL5="$90162,2349102,54272,C:\Users\Admin\AppData\Local\Temp\B104.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
        "C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i
        3⤵
        • Executes dropped EXE
        PID:3444
      • C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
        "C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s
        3⤵
        • Executes dropped EXE
        PID:4312
  • C:\Users\Admin\AppData\Local\Temp\E17C.exe
    C:\Users\Admin\AppData\Local\Temp\E17C.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:1696
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
            PID:3108
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            4⤵
              PID:4428
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                5⤵
                • Modifies Windows Firewall
                PID:3952
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
                PID:2084
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 884
              3⤵
              • Program crash
              PID:4296
          • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
            "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
              C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2504
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2628
                • C:\Windows\SysWOW64\chcp.com
                  chcp 1251
                  5⤵
                    PID:4432
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                    5⤵
                    • Creates scheduled task(s)
                    PID:2012
              • C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp
                C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:4428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2044
                  4⤵
                  • Program crash
                  PID:4512
            • C:\Users\Admin\AppData\Local\Temp\FourthX.exe
              "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
              2⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              PID:4724
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1996
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "UTIXDCVF"
                3⤵
                • Launches sc.exe
                PID:4432
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                3⤵
                  PID:4420
                  • C:\Windows\system32\wusa.exe
                    wusa /uninstall /kb:890830 /quiet /norestart
                    4⤵
                      PID:4264
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
                    3⤵
                    • Launches sc.exe
                    PID:3444
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe start "UTIXDCVF"
                    3⤵
                    • Launches sc.exe
                    PID:2980
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop eventlog
                    3⤵
                    • Launches sc.exe
                    PID:2640
              • C:\Users\Admin\AppData\Local\Temp\19E2.exe
                C:\Users\Admin\AppData\Local\Temp\19E2.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:1808
              • C:\Users\Admin\AppData\Local\Temp\475C.exe
                C:\Users\Admin\AppData\Local\Temp\475C.exe
                1⤵
                • Executes dropped EXE
                PID:632
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4428 -ip 4428
                1⤵
                  PID:1448
                • C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                  C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                  1⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  PID:2628
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4276
                  • C:\Windows\system32\conhost.exe
                    C:\Windows\system32\conhost.exe
                    2⤵
                      PID:1020
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      2⤵
                        PID:4788
                        • C:\Windows\system32\wusa.exe
                          wusa /uninstall /kb:890830 /quiet /norestart
                          3⤵
                            PID:2680
                        • C:\Windows\explorer.exe
                          explorer.exe
                          2⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4956
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4416 -ip 4416
                        1⤵
                          PID:5012

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Are.docx

                          Filesize

                          11KB

                          MD5

                          a33e5b189842c5867f46566bdbf7a095

                          SHA1

                          e1c06359f6a76da90d19e8fd95e79c832edb3196

                          SHA256

                          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                          SHA512

                          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                        • C:\ProgramData\WBICreatorService 6.5\WBICreatorService 6.5.exe

                          Filesize

                          1.5MB

                          MD5

                          bd0af730b5aa6bb4ed361cdf57ca5e02

                          SHA1

                          4e2aad9d062125117ec45b264efb922f4aa7c767

                          SHA256

                          1d025c2042b4aea56ae53595c8ef990cc5878d276139f38129d2f9019dba8337

                          SHA512

                          01b38ffc3f5145b89756398b8469764e19ccec64f887324f4ea9ff93f76060cf378e430b57974d7751f65405a31650e848f88ed098789f6b578cde0d8ba51d0e

                        • C:\ProgramData\mozglue.dll

                          Filesize

                          593KB

                          MD5

                          c8fd9be83bc728cc04beffafc2907fe9

                          SHA1

                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                          SHA256

                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                          SHA512

                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                        • C:\ProgramData\nss3.dll

                          Filesize

                          2.0MB

                          MD5

                          1cc453cdf74f31e4d913ff9c10acdde2

                          SHA1

                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                          SHA256

                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                          SHA512

                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                        • C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

                          Filesize

                          1.8MB

                          MD5

                          93df53829d7ff15b36cca0997bdf9523

                          SHA1

                          85961b7b321c9492e276ada800debaa55c9c1d59

                          SHA256

                          107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c

                          SHA512

                          37edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16

                        • C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

                          Filesize

                          2.5MB

                          MD5

                          b03886cb64c04b828b6ec1b2487df4a4

                          SHA1

                          a7b9a99950429611931664950932f0e5525294a4

                          SHA256

                          5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

                          SHA512

                          21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

                        • C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

                          Filesize

                          2.2MB

                          MD5

                          4fd907bc808a1ef6f8fb9796bba2ee72

                          SHA1

                          f02332b1bfe440cd89ca5868c537fa83ed6686c3

                          SHA256

                          e08e7078a2a36df686ad938710b22c11b2cc5da7c55b18167a98d11e4a3f00ad

                          SHA512

                          16aac4bb4afcba566cb20751a3048ebcad37371fd419b2362cd50b53ee0cee4eeb6e4c8b1b84fd3f78930c6de75c34ff1b66114eaba929e6eeaf9fb735afcda9

                        • C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

                          Filesize

                          1.7MB

                          MD5

                          ff0546c208045c0825dd3bfe90ef3faf

                          SHA1

                          278999e554e5363a7c7f2f7355c67ad2e875b2fa

                          SHA256

                          5cd2bfec348fe210475f230fb27c73a514ebcc5bf9e94e1389e273059f482746

                          SHA512

                          8040a04b8cf35b6696f8134e07625d4f818484d728c5ae1203e52eb88ea3e9dd34b3bd520430fd7d7d7346fb7b1af546468bcb0ca702cfeb9fc3bc7338e98e94

                        • C:\Users\Admin\AppData\Local\Temp\19E2.exe

                          Filesize

                          245KB

                          MD5

                          fbc2d00d3becdb29396535bc33ec9f1e

                          SHA1

                          cffe38ebcdb49bc0bba1b38eadee4829c8c7d287

                          SHA256

                          adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516

                          SHA512

                          55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

                        • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                          Filesize

                          640KB

                          MD5

                          ab43192ad620e08c545c7f7c4b52802b

                          SHA1

                          090a9c43a6be4ead3385a92bb4779865ed10127d

                          SHA256

                          4d69fa18d7f1fac5f56f9396b65057a21f42a13349b83cbe7291f00fc0b989db

                          SHA512

                          1dcb00254d0ad110ebfa0e4cd267e31930f633f6762c3226579e62693401a465a8f9d0094d57354bb545ce5a5c2b15292c555506549b1dbcfae7629d91e0bbe0

                        • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                          Filesize

                          1.7MB

                          MD5

                          0f68106658c054bde5c705e5b1f000e6

                          SHA1

                          5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102

                          SHA256

                          58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c

                          SHA512

                          30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e

                        • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                          Filesize

                          1.9MB

                          MD5

                          eab2fcd5ec933106a83b15fac38a8694

                          SHA1

                          13fa5c0464e1be041adb926aa61e90636463863d

                          SHA256

                          652e0d8953899a43735e3a819818674d9f4c1215b7c55d12424273102058698c

                          SHA512

                          e1e2cc108211d8efab0060aba41acc105b84f0ccf0fc88ae4214027e2b3d1e305d48371a352b3e168a1cc208ba5e31106cc7bdb6ed2c0d243ae093337d52e523

                        • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                          Filesize

                          4.1MB

                          MD5

                          d122f827c4fc73f9a06d7f6f2d08cd95

                          SHA1

                          cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5

                          SHA256

                          b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc

                          SHA512

                          8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

                        • C:\Users\Admin\AppData\Local\Temp\475C.exe

                          Filesize

                          2.2MB

                          MD5

                          e2e72850cd8cb2e9e1d25276b097b4b1

                          SHA1

                          dfcc53d6f6dce8a7239d2e60c8314cfb2447f447

                          SHA256

                          c5526ce4c6edb5a574750fe7b446e92dd591cb1226f168e2b128c84b82b47484

                          SHA512

                          5681d2c73d083dcb7105db3e1e623013a4cf85e696105b916dcd51f6580710c9e91bc800357dcd2ccf32edb655230c1276a33576032b6e5c96a52e7be4071cc0

                        • C:\Users\Admin\AppData\Local\Temp\475C.exe

                          Filesize

                          1024KB

                          MD5

                          eaa244bcc280805a06303b283c342413

                          SHA1

                          22bf3cecb67b58a2b8f506a7e0e3e9c2a50c7fa1

                          SHA256

                          dedccef043421417a11bdd1623f8ded11939c6f7ac2ba82d62facb75226549cc

                          SHA512

                          91e34d6e4a035566fd4579d74e68b02e2721ad839ee080c17b0c455ec52cc8e32a85493b3d81edbcd43bc02d5942326471d4c7330f433fe33b486c540d6f071e

                        • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

                          Filesize

                          2.6MB

                          MD5

                          b0ca41b249e5621a4033dc3c024af9f0

                          SHA1

                          de5ffceae5a0aee20d080096792eac80d1866e1c

                          SHA256

                          09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff

                          SHA512

                          9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87

                        • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

                          Filesize

                          7.5MB

                          MD5

                          29c74e5c6c3fe79311b0d35809d8b7d6

                          SHA1

                          7e2da3fa3a02cf37df1ce6bc91a4dfa7fbf40351

                          SHA256

                          a43dff0c2459e985a3a51652846be31f2214253db1ce4982a05443f557d3edba

                          SHA512

                          3d52180d95fcb0de250dbe15b9764ddfc2504db7ed2be3660c6b359a0b16a02831e37b8a939a9edf8f19ee53ab11708e7776b19a53afa766a65a20213f787e02

                        • C:\Users\Admin\AppData\Local\Temp\9B75.exe

                          Filesize

                          5.0MB

                          MD5

                          0904e849f8483792ef67991619ece915

                          SHA1

                          58d04535efa58effb3c5ed53a2462aa96d676b79

                          SHA256

                          fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef

                          SHA512

                          258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

                        • C:\Users\Admin\AppData\Local\Temp\A28A.dll

                          Filesize

                          2.0MB

                          MD5

                          7aecbe510817ee9636a5bcbff0ee5fdd

                          SHA1

                          6a3f27f7789ccf1b19c948774d84c865a9ac6825

                          SHA256

                          b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac

                          SHA512

                          a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

                        • C:\Users\Admin\AppData\Local\Temp\A28A.dll

                          Filesize

                          1.7MB

                          MD5

                          350842cb91aed3da670b1ef73e65b70c

                          SHA1

                          8cf17bb1afa04e12437f543237e5c659ece4a207

                          SHA256

                          b89f43a42be0f8b1fd6600c6db28a3e6fc86f4831f10a7c6ea1603c3d8b29e26

                          SHA512

                          b23d3330a6b348299ffdfd0fa49091aa5bd8355866ed5aed768fc14f2c711671ca2a8d8bafecfc568654ad27e556579e5995d88b46bce6a3f3f4c5876396e1a0

                        • C:\Users\Admin\AppData\Local\Temp\A867.exe

                          Filesize

                          1.9MB

                          MD5

                          398ab69b1cdc624298fbc00526ea8aca

                          SHA1

                          b2c76463ae08bb3a08accfcbf609ec4c2a9c0821

                          SHA256

                          ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be

                          SHA512

                          3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

                        • C:\Users\Admin\AppData\Local\Temp\AB56.exe

                          Filesize

                          560KB

                          MD5

                          e6dd149f484e5dd78f545b026f4a1691

                          SHA1

                          3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6

                          SHA256

                          11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7

                          SHA512

                          0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

                        • C:\Users\Admin\AppData\Local\Temp\B104.exe

                          Filesize

                          2.2MB

                          MD5

                          507c0587f547e4d752fef1eee444688c

                          SHA1

                          dc40e87cb42dcd196ada46a6361c2abc27d575df

                          SHA256

                          fb56ea35195cb286ca68ee0966cdbc0fe50a2ae2b408588add239099be52d584

                          SHA512

                          a55c5833543c6f4695ffe6435688fde5fca08086f2e75a266d6437ff15e697127bef33863de6d7367f17be60881a73402f5a39ae9566352ad433f16ebcdeabf4

                        • C:\Users\Admin\AppData\Local\Temp\B104.exe

                          Filesize

                          2.1MB

                          MD5

                          baa4e78169a0d50f8d868ca9cdb1b166

                          SHA1

                          bf3e4f0fac7be83d03949a47e356bc11c7b4b2a3

                          SHA256

                          9242271452141bf9010b9769bcfe344748468861cf6d6c424cabaf0c47a3f830

                          SHA512

                          58203086b3892877b2e9e156e3ba5cd7db341ed46f3d978e5b3886b9dbf9948795349b3ebbb2216ca0b7dc4205c6bd4cbd3fa23a9a713ece2e9ec54aed4ee3bf

                        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                          Filesize

                          1024KB

                          MD5

                          2ca32a64d491385b9191b77cd9e1245e

                          SHA1

                          3689280aeae1870caec7d5a32c5b0ae6be4f310a

                          SHA256

                          eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae

                          SHA512

                          a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f

                        • C:\Users\Admin\AppData\Local\Temp\E17C.exe

                          Filesize

                          1.5MB

                          MD5

                          fa436ac081f0353e4c8a7a20547280d5

                          SHA1

                          7c2006a60a591139e619190b9ff1663d22e7c761

                          SHA256

                          01f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6

                          SHA512

                          a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c

                        • C:\Users\Admin\AppData\Local\Temp\E17C.exe

                          Filesize

                          768KB

                          MD5

                          891b0ecba023c942258e77f219e08e47

                          SHA1

                          b6902ef9eef4c4822532c059656e67606090d1f9

                          SHA256

                          cde4d1fb53812f82a6ae30d9fe315b2a27fd77900f27c9ed3a6b49c21e51b330

                          SHA512

                          90867d45c751c0c0c685b980cc772a8cbe4a88378bc5cfe5187ce23e38005c102d5dfb95ec8fb63557caf9c0b2ac8c07320baf39159cde85f2f20c273ae1c0df

                        • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                          Filesize

                          1.1MB

                          MD5

                          56b83c068dc6c8df9c02236e9587cd42

                          SHA1

                          9803091206a0fff470768e67577426cce937a939

                          SHA256

                          678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e

                          SHA512

                          e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

                        • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                          Filesize

                          1.1MB

                          MD5

                          10da85ae04da6c225fd4ea9d204378c9

                          SHA1

                          d3730e020f9e2a5c217926180d44b65a91cf6a4a

                          SHA256

                          d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5

                          SHA512

                          1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69

                        • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                          Filesize

                          704KB

                          MD5

                          029a5147d2f0d080800b095d06298a55

                          SHA1

                          6d53b0c00f128318d23de9db082989e30369baad

                          SHA256

                          cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566

                          SHA512

                          b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

                        • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

                          Filesize

                          1.8MB

                          MD5

                          682fc35530a6dc6f2bdfad98ecd7eae2

                          SHA1

                          10666b26129587b4a564fb59d367539f57c76ca3

                          SHA256

                          83414b912a4ba1cbfea8b625890291ae866860408ed45da5923d1a67ea7c4101

                          SHA512

                          ea68038310a51b183dfee7acabd61cad8d93372f30321ec0ed9ccf53016c82b7133b90930fcff107f42582f7a65315f2cf5ba8078597cf275fb45c6881da25da

                        • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

                          Filesize

                          1.6MB

                          MD5

                          bf254ad5640e2dadab1c1aee4847c749

                          SHA1

                          41cdb51034f2c66207eb9e601d547f080858da66

                          SHA256

                          d923708674e9ea58024997745047f6613c80f1c03003b6e6304b80b3e57dfeff

                          SHA512

                          ff99bac22e234ed344c6231c69ca3caed5dcfdcb5e13c2ceaa3bd499e7168817643bd9ebbed6662039d73c03779de19f1e6231e08697259dc674f199d102da68

                        • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

                          Filesize

                          1.9MB

                          MD5

                          342df85aa81aa82ef2875364b6f999e0

                          SHA1

                          78ecb246b2e99279a32d0cdc4682493828dcae1a

                          SHA256

                          b301267f75c00647520a3f025fefd4fdda4ce4e0c483c923f58a095184241f5f

                          SHA512

                          8e1b9ebe17fb988da47162327a57436ccc3a9020da396317ddcceaa212567d3cf0c1709e9d4062fd49513977f9e5a6b4bf536c8ba90bba4b20fdbc94a76c5385

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vpipopmp.uor.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp

                          Filesize

                          689KB

                          MD5

                          14db4253fd181e84e26eebc8f4150402

                          SHA1

                          79e77f75b5b8b1386c1bb76324790caaa908ca8d

                          SHA256

                          65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28

                          SHA512

                          9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

                        • C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp

                          Filesize

                          576KB

                          MD5

                          ca4955a8a8b691465262d3076c87bc47

                          SHA1

                          544e7330f0b7b9bdc9cb1da3ced383b184856eaf

                          SHA256

                          71bafa73d6ed53e0f61a65ea63a9f82165e368649fefb884e316fcaf43ae030e

                          SHA512

                          e28456526a3f682e96cdbdfe66e26cd76acf9257d9cd8b0056e331afc5b6f585ad140bb4544e13e703f3ee2d53dd930cfaf3ac80123bcaf461be4e467a201833

                        • C:\Users\Admin\AppData\Local\Temp\is-TSIBL.tmp\_isetup\_iscrypt.dll

                          Filesize

                          2KB

                          MD5

                          a69559718ab506675e907fe49deb71e9

                          SHA1

                          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                          SHA256

                          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                          SHA512

                          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                        • C:\Users\Admin\AppData\Local\Temp\is-TSIBL.tmp\_isetup\_isdecmp.dll

                          Filesize

                          13KB

                          MD5

                          a813d18268affd4763dde940246dc7e5

                          SHA1

                          c7366e1fd925c17cc6068001bd38eaef5b42852f

                          SHA256

                          e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                          SHA512

                          b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                        • C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp

                          Filesize

                          246KB

                          MD5

                          c7f4dfe314dd61bc9ff56fdffe58bc58

                          SHA1

                          92149a4cc12b6e284f672897408ed7fe2c08cd39

                          SHA256

                          3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591

                          SHA512

                          09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

                        • C:\Users\Admin\AppData\Local\Temp\nsmF03D.tmp\INetC.dll

                          Filesize

                          25KB

                          MD5

                          40d7eca32b2f4d29db98715dd45bfac5

                          SHA1

                          124df3f617f562e46095776454e1c0c7bb791cc7

                          SHA256

                          85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

                          SHA512

                          5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

                        • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                          Filesize

                          128B

                          MD5

                          11bb3db51f701d4e42d3287f71a6a43e

                          SHA1

                          63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                          SHA256

                          6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                          SHA512

                          907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                          Filesize

                          2KB

                          MD5

                          3d086a433708053f9bf9523e1d87a4e8

                          SHA1

                          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                          SHA256

                          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                          SHA512

                          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          19KB

                          MD5

                          654e2acf81a36a91149844b610506f89

                          SHA1

                          d4ecca0d9acbfcf46bc9a575a5b54d9f3e4f3e8f

                          SHA256

                          84ed5601c88d32e00b02422a0e7ab5d24d392b56933b39249160c50b5f5903e3

                          SHA512

                          d96547ca2d789075d51d341e8ea55878c269b822006ccf1631a244622b37d1d1c5887c3fe27a00e7bb89e333625c5fdcba149c0127e577aeda06eb20d0e5319e

                        • memory/456-16-0x0000000000B10000-0x00000000013BF000-memory.dmp

                          Filesize

                          8.7MB

                        • memory/456-25-0x0000000000B10000-0x00000000013BF000-memory.dmp

                          Filesize

                          8.7MB

                        • memory/456-15-0x0000000001940000-0x0000000001941000-memory.dmp

                          Filesize

                          4KB

                        • memory/456-17-0x0000000000B10000-0x00000000013BF000-memory.dmp

                          Filesize

                          8.7MB

                        • memory/516-127-0x0000000002E80000-0x0000000002F8E000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/516-37-0x0000000000400000-0x0000000000848000-memory.dmp

                          Filesize

                          4.3MB

                        • memory/516-123-0x0000000002D50000-0x0000000002E79000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/516-44-0x0000000000400000-0x0000000000848000-memory.dmp

                          Filesize

                          4.3MB

                        • memory/516-125-0x0000000002E80000-0x0000000002F8E000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/516-38-0x0000000000400000-0x0000000000848000-memory.dmp

                          Filesize

                          4.3MB

                        • memory/516-35-0x0000000000400000-0x0000000000848000-memory.dmp

                          Filesize

                          4.3MB

                        • memory/516-51-0x0000000000900000-0x0000000000906000-memory.dmp

                          Filesize

                          24KB

                        • memory/516-36-0x0000000000400000-0x0000000000848000-memory.dmp

                          Filesize

                          4.3MB

                        • memory/516-33-0x0000000000400000-0x0000000000848000-memory.dmp

                          Filesize

                          4.3MB

                        • memory/632-333-0x0000000003910000-0x0000000003911000-memory.dmp

                          Filesize

                          4KB

                        • memory/632-332-0x0000000003900000-0x0000000003901000-memory.dmp

                          Filesize

                          4KB

                        • memory/632-331-0x0000000000CC0000-0x000000000176D000-memory.dmp

                          Filesize

                          10.7MB

                        • memory/632-343-0x0000000000CC0000-0x000000000176D000-memory.dmp

                          Filesize

                          10.7MB

                        • memory/1412-5-0x0000000000400000-0x00000000022D1000-memory.dmp

                          Filesize

                          30.8MB

                        • memory/1412-2-0x0000000003EE0000-0x0000000003EEB000-memory.dmp

                          Filesize

                          44KB

                        • memory/1412-3-0x0000000000400000-0x00000000022D1000-memory.dmp

                          Filesize

                          30.8MB

                        • memory/1412-1-0x0000000002440000-0x0000000002540000-memory.dmp

                          Filesize

                          1024KB

                        • memory/1684-157-0x0000000072680000-0x0000000072E30000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/1684-180-0x0000000072680000-0x0000000072E30000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/1684-134-0x0000000000C90000-0x0000000001546000-memory.dmp

                          Filesize

                          8.7MB

                        • memory/1808-273-0x0000000000400000-0x0000000001A2A000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/1808-233-0x0000000000400000-0x0000000001A2A000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/1808-230-0x00000000034F0000-0x00000000034FB000-memory.dmp

                          Filesize

                          44KB

                        • memory/1808-228-0x0000000001B30000-0x0000000001C30000-memory.dmp

                          Filesize

                          1024KB

                        • memory/1996-447-0x00007FFD5F250000-0x00007FFD5FD11000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/1996-362-0x0000025962B90000-0x0000025962BB2000-memory.dmp

                          Filesize

                          136KB

                        • memory/1996-356-0x0000025962C30000-0x0000025962C40000-memory.dmp

                          Filesize

                          64KB

                        • memory/1996-355-0x0000025962C30000-0x0000025962C40000-memory.dmp

                          Filesize

                          64KB

                        • memory/1996-352-0x00007FFD5F250000-0x00007FFD5FD11000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2324-431-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

                          Filesize

                          136KB

                        • memory/2324-444-0x0000000005E40000-0x0000000005E5E000-memory.dmp

                          Filesize

                          120KB

                        • memory/2324-443-0x00000000059A0000-0x0000000005CF4000-memory.dmp

                          Filesize

                          3.3MB

                        • memory/2324-446-0x0000000005F00000-0x0000000005F4C000-memory.dmp

                          Filesize

                          304KB

                        • memory/2324-442-0x0000000005930000-0x0000000005996000-memory.dmp

                          Filesize

                          408KB

                        • memory/2324-437-0x00000000057C0000-0x0000000005826000-memory.dmp

                          Filesize

                          408KB

                        • memory/2324-421-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/2324-416-0x0000000071C00000-0x00000000723B0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/2324-418-0x0000000005120000-0x0000000005748000-memory.dmp

                          Filesize

                          6.2MB

                        • memory/2324-413-0x0000000002890000-0x00000000028C6000-memory.dmp

                          Filesize

                          216KB

                        • memory/2504-404-0x0000000002460000-0x0000000002461000-memory.dmp

                          Filesize

                          4KB

                        • memory/2504-224-0x0000000000400000-0x00000000008E2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/2504-182-0x0000000002460000-0x0000000002461000-memory.dmp

                          Filesize

                          4KB

                        • memory/2888-122-0x00000000025A0000-0x00000000026AE000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/2888-109-0x0000000002470000-0x0000000002599000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/2888-132-0x0000000010000000-0x000000001020A000-memory.dmp

                          Filesize

                          2.0MB

                        • memory/2888-23-0x0000000010000000-0x000000001020A000-memory.dmp

                          Filesize

                          2.0MB

                        • memory/2888-22-0x0000000000660000-0x0000000000666000-memory.dmp

                          Filesize

                          24KB

                        • memory/2888-119-0x00000000025A0000-0x00000000026AE000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/2888-120-0x00000000025A0000-0x00000000026AE000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3428-4-0x0000000002750000-0x0000000002766000-memory.dmp

                          Filesize

                          88KB

                        • memory/3444-110-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/3444-113-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/3652-32-0x0000000003AA0000-0x0000000003C57000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/3652-31-0x00000000038E0000-0x0000000003A9B000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/3700-57-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/3700-145-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/4276-420-0x000001A5D3CE0000-0x000001A5D3CF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/4276-417-0x00007FFD5F250000-0x00007FFD5FD11000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4276-460-0x000001A5D4900000-0x000001A5D491C000-memory.dmp

                          Filesize

                          112KB

                        • memory/4276-419-0x000001A5D3CE0000-0x000001A5D3CF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/4312-148-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/4312-392-0x0000000000A20000-0x0000000000AC2000-memory.dmp

                          Filesize

                          648KB

                        • memory/4312-207-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/4312-387-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/4312-118-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/4312-116-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/4312-351-0x0000000000400000-0x00000000006E8000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/4416-188-0x00000000029A0000-0x0000000002D9E000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/4416-189-0x0000000002DA0000-0x000000000368B000-memory.dmp

                          Filesize

                          8.9MB

                        • memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/4416-414-0x00000000029A0000-0x0000000002D9E000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/4428-206-0x0000000000400000-0x0000000001A2A000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/4428-368-0x0000000000400000-0x0000000001A2A000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/4428-204-0x0000000001D60000-0x0000000001E60000-memory.dmp

                          Filesize

                          1024KB

                        • memory/4428-205-0x0000000001B80000-0x0000000001BA7000-memory.dmp

                          Filesize

                          156KB

                        • memory/4428-209-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                          Filesize

                          972KB

                        • memory/4596-146-0x0000000000400000-0x00000000004BC000-memory.dmp

                          Filesize

                          752KB

                        • memory/4596-226-0x00000000020C0000-0x00000000020C1000-memory.dmp

                          Filesize

                          4KB

                        • memory/4596-78-0x00000000020C0000-0x00000000020C1000-memory.dmp

                          Filesize

                          4KB

                        • memory/4960-47-0x0000000002F70000-0x0000000003070000-memory.dmp

                          Filesize

                          1024KB

                        • memory/4960-137-0x0000000000400000-0x0000000002D8C000-memory.dmp

                          Filesize

                          41.5MB

                        • memory/4960-48-0x0000000000400000-0x0000000002D8C000-memory.dmp

                          Filesize

                          41.5MB

                        • memory/4960-50-0x0000000004A40000-0x0000000004AAB000-memory.dmp

                          Filesize

                          428KB

                        • memory/4960-192-0x0000000002F70000-0x0000000003070000-memory.dmp

                          Filesize

                          1024KB