Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 12:14

General

  • Target

    84b607224b08194b311683727ad11950.exe

  • Size

    246KB

  • MD5

    84b607224b08194b311683727ad11950

  • SHA1

    f40b14acd72941439165a1df48e04a80ab978f34

  • SHA256

    01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0

  • SHA512

    f83140c375769e3f8eff768b7888de1a6c6a209dbdc60b92c0361b1e331d2fd5968163b0bb32a56b2075d70b5c6c68fed7886d4661d866a634cb70da4144dcf2

  • SSDEEP

    3072:ZjbSZBZLDOAnav+tyPoESrTGpe3HZaBsfCf+NjXjMnN5J5c5f8:ZU+KyPolrTGA3HZssfCWNbWJC5f

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://kamsmad.com/tmp/index.php

http://souzhensil.ru/tmp/index.php

http://teplokub.com.ua/tmp/index.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

  • DcRat 5 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 5 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe
    "C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4220
  • C:\Users\Admin\AppData\Local\Temp\9E63.exe
    C:\Users\Admin\AppData\Local\Temp\9E63.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Local\Temp\9E63.exe
      C:\Users\Admin\AppData\Local\Temp\9E63.exe
      2⤵
      • DcRat
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3496
  • C:\Users\Admin\AppData\Local\Temp\C0A1.exe
    C:\Users\Admin\AppData\Local\Temp\C0A1.exe
    1⤵
    • Executes dropped EXE
    PID:4244
  • C:\Users\Admin\AppData\Local\Temp\C584.exe
    C:\Users\Admin\AppData\Local\Temp\C584.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:3616
  • C:\Users\Admin\AppData\Local\Temp\CBEE.exe
    C:\Users\Admin\AppData\Local\Temp\CBEE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp" /SL5="$E0058,2248936,56832,C:\Users\Admin\AppData\Local\Temp\CBEE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
        "C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
        3⤵
        • Executes dropped EXE
        PID:3184
      • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
        "C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
        3⤵
        • Executes dropped EXE
        PID:2628
  • C:\Users\Admin\AppData\Local\Temp\8D9.exe
    C:\Users\Admin\AppData\Local\Temp\8D9.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2516
          4⤵
          • Program crash
          PID:4468
      • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks for VirtualBox DLLs, possible anti-VM trick
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:3340
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1636
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          4⤵
            PID:4076
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              5⤵
              • Modifies Windows Firewall
              PID:2820
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4964
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            PID:4660
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:2412
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              5⤵
              • DcRat
              • Creates scheduled task(s)
              PID:4116
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              5⤵
                PID:536
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1556
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:4968
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                5⤵
                • Executes dropped EXE
                PID:4104
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4356
              • C:\Windows\windefender.exe
                "C:\Windows\windefender.exe"
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                PID:2412
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  6⤵
                    PID:4476
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      7⤵
                      • Launches sc.exe
                      PID:3540
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 748
              3⤵
              • Program crash
              PID:3636
          • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
            "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
              C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3888
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4988
                • C:\Windows\SysWOW64\chcp.com
                  chcp 1251
                  5⤵
                    PID:1636
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                    5⤵
                    • DcRat
                    • Creates scheduled task(s)
                    PID:4476
              • C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
                C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:1464
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 2448
                  4⤵
                  • Program crash
                  PID:3520
            • C:\Users\Admin\AppData\Local\Temp\FourthX.exe
              "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
              2⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              PID:2340
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4224
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "UTIXDCVF"
                3⤵
                • Launches sc.exe
                PID:4008
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                3⤵
                  PID:1196
                  • C:\Windows\system32\wusa.exe
                    wusa /uninstall /kb:890830 /quiet /norestart
                    4⤵
                      PID:4968
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
                    3⤵
                    • Launches sc.exe
                    PID:1452
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop eventlog
                    3⤵
                    • Launches sc.exe
                    PID:4060
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe start "UTIXDCVF"
                    3⤵
                    • Launches sc.exe
                    PID:2896
              • C:\Users\Admin\AppData\Local\Temp\3A5A.exe
                C:\Users\Admin\AppData\Local\Temp\3A5A.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:4504
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1896 -ip 1896
                1⤵
                  PID:4264
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4108 -ip 4108
                  1⤵
                    PID:5048
                  • C:\Windows\system32\regsvr32.exe
                    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\516D.dll
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2100
                    • C:\Windows\SysWOW64\regsvr32.exe
                      /s C:\Users\Admin\AppData\Local\Temp\516D.dll
                      2⤵
                      • Loads dropped DLL
                      PID:2968
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1464 -ip 1464
                    1⤵
                      PID:4356
                    • C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                      C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                      1⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of SetThreadContext
                      PID:1704
                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3608
                      • C:\Windows\system32\conhost.exe
                        C:\Windows\system32\conhost.exe
                        2⤵
                          PID:4416
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                          2⤵
                            PID:4076
                            • C:\Windows\system32\wusa.exe
                              wusa /uninstall /kb:890830 /quiet /norestart
                              3⤵
                                PID:3248
                            • C:\Windows\explorer.exe
                              explorer.exe
                              2⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4524
                          • C:\Windows\windefender.exe
                            C:\Windows\windefender.exe
                            1⤵
                              PID:1568

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\Are.docx

                              Filesize

                              11KB

                              MD5

                              a33e5b189842c5867f46566bdbf7a095

                              SHA1

                              e1c06359f6a76da90d19e8fd95e79c832edb3196

                              SHA256

                              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                              SHA512

                              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                            • C:\ProgramData\mozglue.dll

                              Filesize

                              593KB

                              MD5

                              c8fd9be83bc728cc04beffafc2907fe9

                              SHA1

                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                              SHA256

                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                              SHA512

                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                            • C:\ProgramData\nss3.dll

                              Filesize

                              2.0MB

                              MD5

                              1cc453cdf74f31e4d913ff9c10acdde2

                              SHA1

                              6e85eae544d6e965f15fa5c39700fa7202f3aafe

                              SHA256

                              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                              SHA512

                              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                            • C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

                              Filesize

                              2.5MB

                              MD5

                              b03886cb64c04b828b6ec1b2487df4a4

                              SHA1

                              a7b9a99950429611931664950932f0e5525294a4

                              SHA256

                              5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

                              SHA512

                              21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

                            • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

                              Filesize

                              3.0MB

                              MD5

                              5c64ecde29da99c3f8e2fb087d86873e

                              SHA1

                              a9f30fcb14242d577b36eef78071c100499fbf99

                              SHA256

                              a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261

                              SHA512

                              50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

                            • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

                              Filesize

                              1.8MB

                              MD5

                              b908d82e948139ac68759da744a75ce3

                              SHA1

                              a91fa6b2d2f0e66448f9a6f293f037cfe180a1ec

                              SHA256

                              ff30431ceb865068054a789fa03b40f905083c27c26191865a6912ec653c72a0

                              SHA512

                              f762e4c32ea157a4d99e7e33ef0ea776ca090fb7068e73d5bbb582d6c86383de797aa03aed53f19e576889c3e59955a8ebeaffecb335d8879754760f4dc8c4d1

                            • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                              Filesize

                              4.1MB

                              MD5

                              d122f827c4fc73f9a06d7f6f2d08cd95

                              SHA1

                              cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5

                              SHA256

                              b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc

                              SHA512

                              8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

                            • C:\Users\Admin\AppData\Local\Temp\3A5A.exe

                              Filesize

                              246KB

                              MD5

                              b2c14d5c21130dc795b521206c0b97d4

                              SHA1

                              3cfe837b022d15fd869e6262813e38ed8efb92dc

                              SHA256

                              ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37

                              SHA512

                              bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

                            • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

                              Filesize

                              2.6MB

                              MD5

                              09cc191faf62ec87441c04cd853644a7

                              SHA1

                              a0ced79bdf965194c3ecaa156818d38acccdc27a

                              SHA256

                              ae9e9ca3bae01804f232d93370d42bd4cf7dbfa30e809d4e91ce9d977c49b1a8

                              SHA512

                              8728e67a2ac66df79c040c6eb16d2777f98a70baf9b2c0f25892b671169efbb94b06ec2548be050608deda0ecad97016d98b9cfbce4165d1efc3faa98cbb13fa

                            • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

                              Filesize

                              5.0MB

                              MD5

                              8887a0315f3e8d2b2a4dc28802b8f215

                              SHA1

                              09007b67b0bd115956023f6c4df7843bc3347752

                              SHA256

                              061f0f07c47578bd9ae8a93554b5d304a40be9fd44b328db115b450f9fdf516a

                              SHA512

                              cf58efbf119dd223645f02e995842915a4067487f5e9fde839ae013a6e5c4f45b31b2f08f0213d083d9707ba8d2370fdfeec8a8822cdf8a68095d8bd9b12c152

                            • C:\Users\Admin\AppData\Local\Temp\516D.dll

                              Filesize

                              1.2MB

                              MD5

                              286796d0050225040303192dffc1c4ef

                              SHA1

                              daef291b3941387fee3ced03d44a4e254dfec217

                              SHA256

                              1546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24

                              SHA512

                              04d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8

                            • C:\Users\Admin\AppData\Local\Temp\516D.dll

                              Filesize

                              1.4MB

                              MD5

                              da30e7111769af02730a498c7d635877

                              SHA1

                              052813b8db392217776729867bf3e082d89edd15

                              SHA256

                              1edd160ab194f1894469cce0d336ae3caa29f1434350c4a7a32dceb30b5ef2e4

                              SHA512

                              02aa1608592043503b96c48d508699110009c729bbcda779b1def9fad0fd64394e5c78c29f70678d46548c7a1e48ac1620608b850a36c3d680de7dab4ccaa702

                            • C:\Users\Admin\AppData\Local\Temp\8D9.exe

                              Filesize

                              8.7MB

                              MD5

                              ceae65ee17ff158877706edfe2171501

                              SHA1

                              b1f807080da9c25393c85f5d57105090f5629500

                              SHA256

                              0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49

                              SHA512

                              5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

                            • C:\Users\Admin\AppData\Local\Temp\9E63.exe

                              Filesize

                              1.9MB

                              MD5

                              398ab69b1cdc624298fbc00526ea8aca

                              SHA1

                              b2c76463ae08bb3a08accfcbf609ec4c2a9c0821

                              SHA256

                              ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be

                              SHA512

                              3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

                            • C:\Users\Admin\AppData\Local\Temp\9E63.exe

                              Filesize

                              14KB

                              MD5

                              1ae586467ea8583bac04590fac52c7f2

                              SHA1

                              0e8169c6ab99805b2b43b4fcebf4910a716bd04a

                              SHA256

                              929fef5c32cc87661cbf730342470b9244af91544f3749826c52d2c2cd47ffea

                              SHA512

                              d3bbf50c637adefe84721318510f5c6a14f469ee0ca0bb74df1a14807aa65d568f879e4dd60d6941bc75fdbc08a5e204902453d56c9212912835f60c8ed18233

                            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                              Filesize

                              1.3MB

                              MD5

                              6c23834bfe6181a0b17575b2ce079cbe

                              SHA1

                              56ef6ff395989cfcc4ec8cad75055f62c8334b3c

                              SHA256

                              3095ebdcbec94aeff052d72e4778ad33b9fdf00a9e294e03143e0f7961c0160f

                              SHA512

                              c53324d10c7d335a6c7605a82b79757199d730f941756fc8b9a6a6bda4cdd229b797ac113abee5e5e0d0f676893986c869d54d79eec3070e1629fccb919dca77

                            • C:\Users\Admin\AppData\Local\Temp\C0A1.exe

                              Filesize

                              6.2MB

                              MD5

                              98032e01a07b787b4416121c3fdf3ae5

                              SHA1

                              65c8dc24c8b5d416c1e51105e190c440762069f3

                              SHA256

                              8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7

                              SHA512

                              3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

                            • C:\Users\Admin\AppData\Local\Temp\C584.exe

                              Filesize

                              554KB

                              MD5

                              a1b5ee1b9649ab629a7ac257e2392f8d

                              SHA1

                              dc1b14b6d57589440fb3021c9e06a3e3191968dc

                              SHA256

                              2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65

                              SHA512

                              50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

                            • C:\Users\Admin\AppData\Local\Temp\CBEE.exe

                              Filesize

                              1.9MB

                              MD5

                              6b1a309c609a892cc6f19a61f3ec7a28

                              SHA1

                              4a99ae82573addac9055915e65b6475931825a3e

                              SHA256

                              5dddcc5de1a79d8d40b4a02ccea49913292bea3be52b51fdf5f14ebb97fdd776

                              SHA512

                              c777ceda6a002785f9670b0af85c3f273436e262dd60290c909124d57974eb139a1b40acd34b7a5c4d840ea7a2aa2de76898a240443a44e506b75ae867c8dfc0

                            • C:\Users\Admin\AppData\Local\Temp\CBEE.exe

                              Filesize

                              1.5MB

                              MD5

                              66db0d066c82c233d7503d6a50fe91ad

                              SHA1

                              823a20e83d3a4f61ced3c2f7f6aa634eb25348e0

                              SHA256

                              d0b2ba7afa9e94cbd574d1a6d386569ab12c12faa9c85ba9f1df0378e405b410

                              SHA512

                              49cce41f42159e1744ee90f8ff89548c3c9cf2492cfca2b5dae967394260ee5fec250572dae6fa6640c074fc8808cd7ac397c1f2a7800dc81956a3c0639a5b5a

                            • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                              Filesize

                              2.2MB

                              MD5

                              5ca01423a29016851cc4e6281916cb2c

                              SHA1

                              583cbe4fc8a69b4f324e60257da872531c7b1a5a

                              SHA256

                              8ff85221e7fdd4c93b8828ebcef9c255273f5beb067a44b24e1ca87d9e898ec1

                              SHA512

                              68a605768e4dac8ce37ac43d54536429c3f6aa6e5be656e6f0bc61155380a604d434b50899fa986d017316e8397ddf2f91445a9c4ce72a9072580a003ad022a4

                            • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                              Filesize

                              1.6MB

                              MD5

                              04fcc1fdd58f42e0490e828028e69579

                              SHA1

                              974b63311a31fcff5451cb98dc4df801e855b4e4

                              SHA256

                              a8fea3f6fe17200d8be207b2bca386e973a636498066594d4cf00e110c37152a

                              SHA512

                              68e805595a3507e7421ae1dd305c63138c33cd2bb553348f8a6fcd9c222413cfd184fe4f67a8151753c74c9912563064e101fe09f1e2e13a7782b8323889581c

                            • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                              Filesize

                              1.6MB

                              MD5

                              e26f71a0d7c8b755b4df392aa6a9d1ae

                              SHA1

                              60708c86d2ccce39eeebcda381bef38a4c6ac89c

                              SHA256

                              a787cf08025716820635f1b5d276c0bc6ccef15b99247b2ee6f3f2cf096b9272

                              SHA512

                              c141ebe852b86b15cdeb8ea8ebadedca7b6be29dbb296aab953e4ca68a3e938a9c60d75f8e70032aed7b9bc9ad38325926ddab253468413af17b76aaa99ebcf3

                            • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

                              Filesize

                              2.0MB

                              MD5

                              28b72e7425d6d224c060d3cf439c668c

                              SHA1

                              a0a14c90e32e1ffd82558f044c351ad785e4dcd8

                              SHA256

                              460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98

                              SHA512

                              3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

                            • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

                              Filesize

                              1.9MB

                              MD5

                              a5f70019477726fdf048623738b725ce

                              SHA1

                              2432e57e28133351453973cc3c01486966edbac2

                              SHA256

                              af07b04729c48194245c4c2920cc84470f830c63715c535b7ab24979923fa032

                              SHA512

                              bd882312cf4a2b62b6155620f84493d35418dcaac735b0ecfea22fa89c788bc219974b62175514aaae143aef2a9db7a66d2cb928284def16695171df7f7c5b2f

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdm5owvo.uka.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                              Filesize

                              281KB

                              MD5

                              d98e33b66343e7c96158444127a117f6

                              SHA1

                              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                              SHA256

                              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                              SHA512

                              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                            • C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp

                              Filesize

                              690KB

                              MD5

                              a1b45df2ed6b73416fdf10a62a69f8f0

                              SHA1

                              053d566b3d1d4ec47d4dff670611a20802b1a366

                              SHA256

                              0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d

                              SHA512

                              bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

                            • C:\Users\Admin\AppData\Local\Temp\is-QO84F.tmp\_isetup\_iscrypt.dll

                              Filesize

                              2KB

                              MD5

                              a69559718ab506675e907fe49deb71e9

                              SHA1

                              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                              SHA256

                              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                              SHA512

                              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                            • C:\Users\Admin\AppData\Local\Temp\is-QO84F.tmp\_isetup\_isdecmp.dll

                              Filesize

                              19KB

                              MD5

                              3adaa386b671c2df3bae5b39dc093008

                              SHA1

                              067cf95fbdb922d81db58432c46930f86d23dded

                              SHA256

                              71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

                              SHA512

                              bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

                            • C:\Users\Admin\AppData\Local\Temp\nsl147E.tmp\INetC.dll

                              Filesize

                              25KB

                              MD5

                              40d7eca32b2f4d29db98715dd45bfac5

                              SHA1

                              124df3f617f562e46095776454e1c0c7bb791cc7

                              SHA256

                              85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

                              SHA512

                              5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

                            • C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp

                              Filesize

                              246KB

                              MD5

                              da812d63d6637fbc245339e746ccf1f9

                              SHA1

                              1d5c645e81e96606b26aa56526fb0022bb68c4b0

                              SHA256

                              4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba

                              SHA512

                              05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

                            • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                              Filesize

                              128B

                              MD5

                              11bb3db51f701d4e42d3287f71a6a43e

                              SHA1

                              63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                              SHA256

                              6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                              SHA512

                              907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                              Filesize

                              2KB

                              MD5

                              3d086a433708053f9bf9523e1d87a4e8

                              SHA1

                              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                              SHA256

                              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                              SHA512

                              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              d2d76c81a044aa0266852ef7d7989fd8

                              SHA1

                              1244c072957954b05ed6fbe35cb2b1106e59af30

                              SHA256

                              005da31948ac86589ccd25ee68ee00c2a819f07b51bbb061b0e1699d37547a66

                              SHA512

                              a69f636e55b12348a898eaec42e2ed0c7b9f4370c3510638415f78198155eb253351ae040c8f9b88cdd6cba46587624c55cf3f39c13281a41fd95c2277c3a583

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              c5a1cd740f3fccd7c193db7e3a7269fb

                              SHA1

                              85c97899fe1a858d5fa4f563b8d4d7cbdfb6a7c0

                              SHA256

                              263d5eec2d2c8c8bbea2b82b5e743afdf237d74d8049e3e477830e50404eea74

                              SHA512

                              cb950b5b04a1e68233a3ec1bd2ef7868863a671c041c0dbbcb3981fefb5ab534c5cf421c21a7ff7cad4cbf5ec77d7161e78d5c412b4cb64c8f94b30199ed3b8f

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              f046610a6adeece7f7fd84d060c8cf40

                              SHA1

                              5f8c6b9c26b9fc572c93289297b561da18a0e262

                              SHA256

                              3a1db8926423c5e0054875963f992b282220024565eee75e1a1c5483dfec2750

                              SHA512

                              a403a3b5324c197cce732f329340ff9c7b51c33810d3fef9e42a3a76361cb079f6250479ef50d6db9f1ce73ede9752a300d3c9489631ffd1a41e64a7f12c0425

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              c926a9f2c66670ae0d75b34af4619902

                              SHA1

                              d7373210bee43e1c7b4d4155236980c62cc84e70

                              SHA256

                              91a3cd24b8d05588ca9a9524cf49ac498e187949e88ab953249ba8f40c82752c

                              SHA512

                              645176757c3f78e1c968686e8ffb800ed4bf74a6469dd7a7e0b75f039425f70734afdf87ff9209083d4dd8b38dc6734a3cb742443056d04c81e9f83d71212685

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              18670145aa9e64dbc3f60006f981821f

                              SHA1

                              d5ee5077959247e5eaa0665c445fc85125c1bf2f

                              SHA256

                              fa7a716b5748d8a468af68a784f16926aed492f25a1bcd700404a725ce49245f

                              SHA512

                              fc66d9e1987d7fa29ab65896ae4756ddd378deb0595e81f2f39c9717a77c3ec3a7449beae3477849490fa977ea722f410c0c83f0b39a35dfef7d96d896fa764c

                            • C:\Windows\rss\csrss.exe

                              Filesize

                              1.5MB

                              MD5

                              34666eafe0fffb6a73e31c1e09ecac4f

                              SHA1

                              ffd5c92070e4a8fab8f8095316d73ccd485f6294

                              SHA256

                              d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232

                              SHA512

                              542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

                            • C:\Windows\rss\csrss.exe

                              Filesize

                              1.2MB

                              MD5

                              6bdb234305778c39ec1121b20dbb5b46

                              SHA1

                              9397990981227c7b06a4ad4d1a2b030d38fcd6e1

                              SHA256

                              0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b

                              SHA512

                              6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a

                            • C:\Windows\windefender.exe

                              Filesize

                              2.0MB

                              MD5

                              8e67f58837092385dcf01e8a2b4f5783

                              SHA1

                              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                              SHA256

                              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                              SHA512

                              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                            • C:\Windows\windefender.exe

                              Filesize

                              1.4MB

                              MD5

                              d480d873c3e1a4c4a90b2452fc1ec666

                              SHA1

                              3b0657338cbfe497774af2809b9c6bfd64258aef

                              SHA256

                              691faf0177d29d8be9e5f8f3e7c0670066524a491891a0c37f3040d93f4d3657

                              SHA512

                              2c38936a0d17ac94c5b611d4a54cc75f0a9c9b39630ab2dee028ce14ed8660ce86e8694e46fccbed3f9a74ac9845b4f47d279005845d22bfc42d837e04071929

                            • memory/1464-207-0x0000000000400000-0x0000000001A2A000-memory.dmp

                              Filesize

                              22.2MB

                            • memory/1464-219-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                              Filesize

                              972KB

                            • memory/1464-206-0x0000000001B70000-0x0000000001B97000-memory.dmp

                              Filesize

                              156KB

                            • memory/1464-210-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

                              Filesize

                              1024KB

                            • memory/1756-70-0x0000000000400000-0x0000000000414000-memory.dmp

                              Filesize

                              80KB

                            • memory/1756-128-0x0000000000400000-0x0000000000414000-memory.dmp

                              Filesize

                              80KB

                            • memory/1784-16-0x0000000003900000-0x0000000003ABC000-memory.dmp

                              Filesize

                              1.7MB

                            • memory/1784-18-0x0000000003AC0000-0x0000000003C77000-memory.dmp

                              Filesize

                              1.7MB

                            • memory/1896-281-0x0000000007910000-0x000000000792A000-memory.dmp

                              Filesize

                              104KB

                            • memory/1896-290-0x000000006F6E0000-0x000000006FA34000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/1896-217-0x0000000005740000-0x0000000005D68000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/1896-215-0x00000000030D0000-0x00000000030E0000-memory.dmp

                              Filesize

                              64KB

                            • memory/1896-218-0x0000000005590000-0x00000000055B2000-memory.dmp

                              Filesize

                              136KB

                            • memory/1896-317-0x0000000073070000-0x0000000073820000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1896-221-0x0000000005E60000-0x0000000005EC6000-memory.dmp

                              Filesize

                              408KB

                            • memory/1896-232-0x0000000006040000-0x00000000060A6000-memory.dmp

                              Filesize

                              408KB

                            • memory/1896-311-0x0000000007C20000-0x0000000007C2A000-memory.dmp

                              Filesize

                              40KB

                            • memory/1896-306-0x0000000007B30000-0x0000000007BD3000-memory.dmp

                              Filesize

                              652KB

                            • memory/1896-216-0x00000000030D0000-0x00000000030E0000-memory.dmp

                              Filesize

                              64KB

                            • memory/1896-238-0x0000000006120000-0x0000000006474000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/1896-245-0x0000000006550000-0x000000000656E000-memory.dmp

                              Filesize

                              120KB

                            • memory/1896-248-0x00000000065A0000-0x00000000065EC000-memory.dmp

                              Filesize

                              304KB

                            • memory/1896-275-0x0000000006AC0000-0x0000000006B04000-memory.dmp

                              Filesize

                              272KB

                            • memory/1896-304-0x0000000007B10000-0x0000000007B2E000-memory.dmp

                              Filesize

                              120KB

                            • memory/1896-276-0x0000000007670000-0x00000000076E6000-memory.dmp

                              Filesize

                              472KB

                            • memory/1896-212-0x0000000002F70000-0x0000000002FA6000-memory.dmp

                              Filesize

                              216KB

                            • memory/1896-287-0x000000006F580000-0x000000006F5CC000-memory.dmp

                              Filesize

                              304KB

                            • memory/1896-213-0x0000000073070000-0x0000000073820000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1896-288-0x000000007F950000-0x000000007F960000-memory.dmp

                              Filesize

                              64KB

                            • memory/1896-280-0x0000000007F70000-0x00000000085EA000-memory.dmp

                              Filesize

                              6.5MB

                            • memory/1896-286-0x0000000007AD0000-0x0000000007B02000-memory.dmp

                              Filesize

                              200KB

                            • memory/2628-125-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/2628-204-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/2628-214-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/2628-132-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/2628-122-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/3004-187-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3004-92-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3004-130-0x0000000000400000-0x00000000004BC000-memory.dmp

                              Filesize

                              752KB

                            • memory/3184-115-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/3184-116-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/3184-119-0x0000000000400000-0x0000000000700000-memory.dmp

                              Filesize

                              3.0MB

                            • memory/3228-138-0x0000000073480000-0x0000000073C30000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3228-181-0x0000000073480000-0x0000000073C30000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3228-139-0x0000000000830000-0x00000000010E6000-memory.dmp

                              Filesize

                              8.7MB

                            • memory/3352-322-0x0000000002480000-0x0000000002496000-memory.dmp

                              Filesize

                              88KB

                            • memory/3352-4-0x00000000025C0000-0x00000000025D6000-memory.dmp

                              Filesize

                              88KB

                            • memory/3496-183-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-65-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-23-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-22-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-126-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-17-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-312-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-21-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-24-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-114-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-20-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3496-91-0x0000000000400000-0x0000000000848000-memory.dmp

                              Filesize

                              4.3MB

                            • memory/3616-62-0x0000000001B10000-0x0000000001C10000-memory.dmp

                              Filesize

                              1024KB

                            • memory/3616-133-0x0000000001B10000-0x0000000001C10000-memory.dmp

                              Filesize

                              1024KB

                            • memory/3616-63-0x0000000000400000-0x0000000001A77000-memory.dmp

                              Filesize

                              22.5MB

                            • memory/3616-127-0x0000000000400000-0x0000000001A77000-memory.dmp

                              Filesize

                              22.5MB

                            • memory/3616-64-0x0000000000400000-0x0000000001A77000-memory.dmp

                              Filesize

                              22.5MB

                            • memory/3616-129-0x00000000036B0000-0x000000000371B000-memory.dmp

                              Filesize

                              428KB

                            • memory/3616-61-0x00000000036B0000-0x000000000371B000-memory.dmp

                              Filesize

                              428KB

                            • memory/3888-310-0x0000000000400000-0x00000000008E2000-memory.dmp

                              Filesize

                              4.9MB

                            • memory/3888-188-0x00000000009D0000-0x00000000009D1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4108-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

                              Filesize

                              9.1MB

                            • memory/4108-285-0x0000000000400000-0x0000000000D1C000-memory.dmp

                              Filesize

                              9.1MB

                            • memory/4108-197-0x0000000002DB0000-0x000000000369B000-memory.dmp

                              Filesize

                              8.9MB

                            • memory/4108-196-0x00000000028A0000-0x0000000002CA7000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/4108-320-0x0000000000400000-0x0000000000D1C000-memory.dmp

                              Filesize

                              9.1MB

                            • memory/4108-321-0x0000000002DB0000-0x000000000369B000-memory.dmp

                              Filesize

                              8.9MB

                            • memory/4220-5-0x0000000000400000-0x0000000001A2A000-memory.dmp

                              Filesize

                              22.2MB

                            • memory/4220-3-0x0000000001CD0000-0x0000000001CDB000-memory.dmp

                              Filesize

                              44KB

                            • memory/4220-2-0x0000000000400000-0x0000000001A2A000-memory.dmp

                              Filesize

                              22.2MB

                            • memory/4220-1-0x0000000001CE0000-0x0000000001DE0000-memory.dmp

                              Filesize

                              1024KB

                            • memory/4244-43-0x0000000000FD0000-0x0000000001A7D000-memory.dmp

                              Filesize

                              10.7MB

                            • memory/4244-48-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-46-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-44-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-45-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-42-0x0000000001B80000-0x0000000001B81000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-60-0x0000000001ED0000-0x0000000001F02000-memory.dmp

                              Filesize

                              200KB

                            • memory/4244-41-0x0000000001B70000-0x0000000001B71000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-53-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-59-0x0000000001ED0000-0x0000000001F02000-memory.dmp

                              Filesize

                              200KB

                            • memory/4244-51-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4244-57-0x0000000001ED0000-0x0000000001F02000-memory.dmp

                              Filesize

                              200KB

                            • memory/4244-123-0x0000000000FD0000-0x0000000001A7D000-memory.dmp

                              Filesize

                              10.7MB

                            • memory/4244-47-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4504-314-0x0000000001B50000-0x0000000001B5B000-memory.dmp

                              Filesize

                              44KB

                            • memory/4504-313-0x0000000001B80000-0x0000000001C80000-memory.dmp

                              Filesize

                              1024KB

                            • memory/4504-315-0x0000000000400000-0x0000000001A2A000-memory.dmp

                              Filesize

                              22.2MB

                            • memory/4504-324-0x0000000000400000-0x0000000001A2A000-memory.dmp

                              Filesize

                              22.2MB