Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 23:35

General

  • Target

    2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe

  • Size

    4.7MB

  • MD5

    aab33557c85ba58681ae5a868881e1b8

  • SHA1

    a01778d12f92e47081de63ce6913b2cdb10266ed

  • SHA256

    fbed99453a6a3bb1916f2530dfcdc8a1cbb98180545914e5c5b9d92188e704d4

  • SHA512

    e0c120c60218e299f976b379074bb0036d096979d150227d5e692c6b3ebb220ead7766851ed9b6cbe975d6de33bd9615816914d67f1d488dd39e1fd55280172c

  • SSDEEP

    98304:yqJkdmBucaT57K3C4qJ31B0G0c5S2uf+bGhwmv5:z2dV7VK8tj0QufMQ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 38 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 33 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:6828
      • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=6828" "-buildid=1709846872" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe" "-launcher=0" --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=DcheckIsFatal"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1709846872 --initial-client-data=0x22c,0x230,0x234,0x200,0x238,0x7fef49eee28,0x7fef49eee38,0x7fef49eee48
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4864
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --force-device-scale-factor=1 --disablehighdpi --buildid=1709846872 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1092 --field-trial-handle=1208,i,10655423589679709768,13084601154772732833,131072 --disable-features=BackForwardCache,DcheckIsFatal,WinUseBrowserSpellChecker /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3704
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --force-device-scale-factor=1 --disablehighdpi --buildid=1709846872 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1316 --field-trial-handle=1208,i,10655423589679709768,13084601154772732833,131072 --disable-features=BackForwardCache,DcheckIsFatal,WinUseBrowserSpellChecker /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4292
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --force-device-scale-factor=1 --disablehighdpi --buildid=1709846872 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1536 --field-trial-handle=1208,i,10655423589679709768,13084601154772732833,131072 --disable-features=BackForwardCache,DcheckIsFatal,WinUseBrowserSpellChecker /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:5428
      • C:\Users\Admin\AppData\Local\Temp\steamerrorreporter.exe
        C:\Users\Admin\AppData\Local\Temp\ste
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5312
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2024
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:2836
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2720
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2744
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1436
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 24c -NGENProcess 23c -Pipe 1d4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 234 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:4000
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:6720
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2608
  • C:\Windows\ehome\ehRecvr.exe
    C:\Windows\ehome\ehRecvr.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2892
  • C:\Windows\ehome\ehsched.exe
    C:\Windows\ehome\ehsched.exe
    1⤵
    • Executes dropped EXE
    PID:604
  • C:\Windows\eHome\EhTray.exe
    "C:\Windows\eHome\EhTray.exe" /nav:-2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1192
  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2492
  • C:\Windows\ehome\ehRec.exe
    C:\Windows\ehome\ehRec.exe -Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2300
  • C:\Windows\system32\IEEtwCollector.exe
    C:\Windows\system32\IEEtwCollector.exe /V
    1⤵
    • Executes dropped EXE
    PID:2308
  • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1828
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:1244
  • C:\Windows\System32\msdtc.exe
    C:\Windows\System32\msdtc.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:1656
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:1236
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:2548
  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2372
  • C:\Windows\SysWow64\perfhost.exe
    C:\Windows\SysWow64\perfhost.exe
    1⤵
    • Executes dropped EXE
    PID:2412
  • C:\Windows\system32\locator.exe
    C:\Windows\system32\locator.exe
    1⤵
    • Executes dropped EXE
    PID:1028
  • C:\Windows\System32\snmptrap.exe
    C:\Windows\System32\snmptrap.exe
    1⤵
    • Executes dropped EXE
    PID:2068
  • C:\Windows\System32\vds.exe
    C:\Windows\System32\vds.exe
    1⤵
    • Executes dropped EXE
    PID:2000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2488
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2288
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Executes dropped EXE
    PID:868
  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:3120
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
      2⤵
        PID:1472
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2176
    • C:\Windows\system32\dllhost.exe
      C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:6944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

      Filesize

      1.3MB

      MD5

      8a3105668c6e1a56f7384a0e571c69a8

      SHA1

      a625c99aa33312e04f3ddf66a3abf5bf6693b8aa

      SHA256

      6bf2b8cd0a3ed2031685dfe104266bd24fad36b406192f48ba63149db5524c19

      SHA512

      d62e25bf86775d3e0ba6f4e4396a3b4c57d52efb2c63b7eb6def51b1ff6a53ba3cf07ef4934c4792d0461beb68d1ed7ce75eeb23795989280b8e2f9e76ba8f7e

    • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

      Filesize

      1.3MB

      MD5

      f674a2ff87c94720194611ead06e74d8

      SHA1

      2421896ac66059818b3a608c921a17f06bb51993

      SHA256

      56e2c4eff24f8f38fa1b8795b5c09386511835531b38068006a53b579afabd04

      SHA512

      5e8c181c12b5cc4617eced8ad6977c22a462329368512528dc743d3f8c1a95f6ae3542d03fa55a6ab09d4364db7ef7366172b2defcd61fbf9342afdbf645702b

    • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

      Filesize

      30.1MB

      MD5

      bc1fa3884617f6655376f64feea1c9db

      SHA1

      a01616471baf5371ab320b0b984ade28d0234021

      SHA256

      6ce223e726d96a959e5f77307ec20f5cb14963e2bfeb81fa6b456d03f6832a95

      SHA512

      7295f7923a85c4d505738dd82de9e5aba761f8604d08df87af0591659fd41990cfa55c853efb123ae2944a17574ae85258172f0df400e92f6bb09f202c98d88d

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

      Filesize

      1.4MB

      MD5

      c7e3366c957011929ab4b3924b5d171a

      SHA1

      ddb69ca3579a4dfe9e8d673ca54aa7adb37904ef

      SHA256

      0960e66de3196d9c3871b4b5d3f113f787b3d4b7a45931f84449228fccf3207c

      SHA512

      f282240bcd21ebe21091d8cbb6e669f206d9ef429891652274e45f1de8ce8fcbe19347bc0cb301ed45397be15b555a5fc174f66a4e44148f215e248bc7cb18ce

    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

      Filesize

      5.2MB

      MD5

      e98ea99503a6d7fd6d45b172ac5ef144

      SHA1

      df0038e08650e652b5f48048e4b013267f4a9400

      SHA256

      b160d061988659b2bb9185c626d782a74059713ee69aa88d362c3b988dbca179

      SHA512

      955f72264bd6e8fd3f264fc2da345d195d3bbb31459aa209a110ad33b364a6d2f40f8d9e4d967dd00d63785ebf4c57683b47888b91702d4974bf77498b05e5a4

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

      Filesize

      2.1MB

      MD5

      0df6d7b20bf9938e3816679747b2b658

      SHA1

      8b2730fbfcbe5b1e2a94214fbdbff2f3f5030635

      SHA256

      e025afe763e9aae7085498714b6fb0e9300b65a6f86a721e2b80d94574cb0bb8

      SHA512

      af6856e94abef5f97446d1acf9ecd1f9059bea48b30cfe4d69a8cbd7ada89394d115d6fbba48ebaa2fc51de5e26221defbb071d693caca8c9f4c3b05398fb388

    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

      Filesize

      1024KB

      MD5

      0b3a7eb6c9f30115d74e509f2e72821e

      SHA1

      9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

      SHA256

      5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

      SHA512

      33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

    • C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf787df6.TMP

      Filesize

      16B

      MD5

      46295cac801e5d4857d09837238a6394

      SHA1

      44e0fa1b517dbf802b18faf0785eeea6ac51594b

      SHA256

      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

      SHA512

      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

    • C:\Users\Admin\AppData\Local\Temp\crashhandler.dll

      Filesize

      361KB

      MD5

      921ecaa849aa3eebea83cc117f057bbc

      SHA1

      b7eac57ca1e82b1011379893c88c76906b8c6833

      SHA256

      956264d928cc41776196b6a8162bf5895e0f093cc8049842fc90ad55e8c2f198

      SHA512

      2ea60ab1c5119254c38e136c3f1a88450fc0256fe5dcc621dd42235c72f50ef5ae2cf8fd481ee0cd663ee8173c09522fc7e11d72101072617d40ad193af9b3a7

    • C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txt

      Filesize

      11KB

      MD5

      01500a883894fb17318c270951bafccd

      SHA1

      afd8d7fb980002186894fc23a132d9bfe16da91a

      SHA256

      c87d1115c2cd680504b14e02afcbedfede4aaf940a8e38f3a96d8478e4ffcf0e

      SHA512

      22d1dac01babde8224d4e9cbf712c28efc2dd69531a9b6d91c9d52f0fd5956ab97a8cb61b259cf66461bc2885080b80aacc059c9931f649f37daaaede9845c52

    • C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.bin

      Filesize

      3KB

      MD5

      a1a24eb6ea7c8f698257c581ac77e6c5

      SHA1

      632500550b55c11335778a4b64f64cce568578cb

      SHA256

      d775348840b6bc74c309c53ed90ec2905d577d4f38d5210424763106a8c4586d

      SHA512

      4e39dcfe388c67767d56733ccfb33e879eb670ebb8ff22dddc940c8d077d9e312a7ac5dfa53de0270b2e5a25e826e4dd162c59cf7ea827eb30c7357310321bdb

    • C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifest

      Filesize

      9KB

      MD5

      efb6e815a83a9222a7263e78209285f1

      SHA1

      e178c8468d4e2ac9e66e7cd597813e6d85b30044

      SHA256

      9d0a3df457493d2ac1dba90a89ad6b35d309951142c793bef247ce462a631a2a

      SHA512

      36b1ec5f4b045b026f80983f769fa20d9e301c6ed92a036629f768c13515393522123d6436f438fe4f24f9116c0c7908c4d8093fcca36972e12ec763a06e3c72

    • C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

      Filesize

      15KB

      MD5

      577b7286c7b05cecde9bea0a0d39740e

      SHA1

      144d97afe83738177a2dbe43994f14ec11e44b53

      SHA256

      983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

      SHA512

      8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

    • C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

      Filesize

      20KB

      MD5

      00bf35778a90f9dfa68ce0d1a032d9b5

      SHA1

      de6a3d102de9a186e1585be14b49390dcb9605d6

      SHA256

      cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

      SHA512

      342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

    • C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

      Filesize

      23B

      MD5

      836dd6b25a8902af48cd52738b675e4b

      SHA1

      449347c06a872bedf311046bca8d316bfba3830b

      SHA256

      6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

      SHA512

      6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

    • C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txt

      Filesize

      4KB

      MD5

      da6cd2483ad8a21e8356e63d036df55b

      SHA1

      0e808a400facec559e6fbab960a7bdfaab4c6b04

      SHA256

      ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

      SHA512

      06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

      Filesize

      24B

      MD5

      b9bd716de6739e51c620f2086f9c31e4

      SHA1

      9733d94607a3cba277e567af584510edd9febf62

      SHA256

      7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

      SHA512

      cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

      Filesize

      1.3MB

      MD5

      b7fa57b3375336c75daf8e8e608ad0ce

      SHA1

      c061b4ee8103d77dc6945433d068a443f794f435

      SHA256

      07f9840e0d74f9f6433ec5a8416285534d4047f14fecb562aec86aefcbabc24f

      SHA512

      569acaac8054a95d34fc718b878464b1e9c4afa0acf6b423632b8d9c6ecfc5b8e54fcf68523441382f34b41bfc8aeb5e0c443494b503e6bdf86b3ada8d3ad0bc

    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

      Filesize

      872KB

      MD5

      9580c38a67de14185cc0e3ad9139afbb

      SHA1

      1d7f70a727ffe5dd156d9d9d98ed96b46fd2edf1

      SHA256

      40e39dfa31869b0208c2974638e7c63d65f1055850cd4bd21bc81b91b528585c

      SHA512

      a013c3b377019596b9c26a98e8915abf3a239c65177bdce35ecf0d6bb5b407f416824cc57dd00ae8a4a6cf4d63df8bce1a535c80401ea9ad834093a270862fe6

    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

      Filesize

      1.3MB

      MD5

      4daf380126c6527569a65a064b403ccd

      SHA1

      e65fa13c72d122801b9559857d9e178ef532a501

      SHA256

      fd17234e9bd3b32056fddea4dea4776a4a1d9b8985bfd282d131fe4af11911cc

      SHA512

      c996bda5a7667ffc8194016cc5d698cf3f5f8f07120631c9e1af01fe974c9d119d46a7b1f00c5ca4e6f2aaa2bd1aa313a5239d70d62cc2dba70521b59de4209d

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

      Filesize

      1.2MB

      MD5

      3449d2080e4b7486d3c6fb77bf90ce15

      SHA1

      d73720ed8527031ade9a64dc709b955fc590a942

      SHA256

      9bffd1032713312b5878d3fe66dc0c5ea77c2db7d08900f791f1b8e143eac609

      SHA512

      46a18b81f8d745676f69bd38aa425fd779e3952f8b8a345f2b4b18a97251368231ee22f010f40500c04051c353239cb547924bd187826a8147ba550de7a96e5b

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

      Filesize

      1003KB

      MD5

      25c8b8a7fb9c54bbdcfc788b561a5b23

      SHA1

      f50f9e6db1f421e7c0ec8b8487439ed4240e83b1

      SHA256

      4dd0ef38b4d128d5e75b7cc7805d452446418fe518d8a8349ae77b697d7b6213

      SHA512

      62e4f435197be0ca7a59138216820657e473c820cb19a8ab93b4dfb184dee8035f9bb9e1cde740b5c856ecd9fa5fe556f315650e5edc9249aebe8ceb88a654f1

    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

      Filesize

      1.3MB

      MD5

      0c16fac5f8cdb2ca77c397e50153db42

      SHA1

      4f10af88981d6ecdeeb66fec093eac5350050216

      SHA256

      26814b6680fb6fbead5740936c9944b9c3c06f4a817e4cd3bc3cbdb8d05a9bcd

      SHA512

      7c13d889bba4313dc2b372913430217811bf96f674a238002ad10cb1fc01846bd0ce5d19d3fbdbddf3b39fc6e093ba7db7ccb9dba8bc06a956ec61466f3d94d3

    • C:\Windows\SysWOW64\perfhost.exe

      Filesize

      1.2MB

      MD5

      26461615698f5f31415db4a7e4c01665

      SHA1

      eb767e16f0e1244991d521b33dfb630f54a5aa7f

      SHA256

      cfd4cbea0a97d5578566b796dea96d31ee26739c4e7485f6e12cd2f2ee0b7683

      SHA512

      d1d76c094a96cc98ddd1229eaa85fa9e4356731df2a46f7ae73f020bfe3333ccf4d2755e41385ef99e2430756e0825f70136b0fe6ed68a6f077f7b5c1c3493c5

    • C:\Windows\System32\SearchIndexer.exe

      Filesize

      1.1MB

      MD5

      01a14b0f0ef61a1d607bda4251b72b6e

      SHA1

      b063d32e0b2fd7dc40961543e0118f2afdc95929

      SHA256

      b95dec8282180bc1772ca437e7b91b61d0fbfea3f9f0ea148232b3a2d1aa8b75

      SHA512

      5fc0802996d37910a054ea19d840479c109964c704292d4a53cf2dba6c1b4ebd8156b5c1f9bb34713fc2818bd68ebdef5a2f16fc6b8b43fd62cb47eb9ce5c14e

    • C:\Windows\System32\VSSVC.exe

      Filesize

      2.1MB

      MD5

      1d71757061b93487a72136c53ee21ced

      SHA1

      34c1ed17d2b045e0609b93006cc75f17d345a8aa

      SHA256

      9c3861cd8abf88c7671b80f80ace2a90db8913cc7c681101a0fbd1a2fff99cf2

      SHA512

      026f06d0318d531cd1b6f942c35ece59873949625b19722ad096f1b3d2bd7b28e8d25a29087c1b94005f74b820c472ad7cb89929536471458ef86552dd1d0bbe

    • C:\Windows\System32\ieetwcollector.exe

      Filesize

      1.3MB

      MD5

      742c0cb6cff9a17d2cee03a595fa15f1

      SHA1

      ab0a77929fdf0a85a9540eff642a0ee77861fef1

      SHA256

      e8f679188fa6532ff854adda5e8d4a48142666acb862dcaf766f14a7c693bf38

      SHA512

      99745c917733d7e03dd765c82f66e973e05a698433fc9c1bcb1e2fa101bfc84c1c3891b8ab22eb2fb403709b55c6d8c072410411a872470fc7f4539842cd4d4b

    • C:\Windows\System32\msdtc.exe

      Filesize

      1.3MB

      MD5

      601587165452d8f5a50013607a25977a

      SHA1

      78f8736bf49bb4937a4adbb8e05398bbb8770414

      SHA256

      c8d22490ebc995e70bb3e5c6a2e1827d2b9831c4276bdc7d20e9b865515025a7

      SHA512

      c2d6333b77d92f244cd7d6a34274053d8c86e4e35a6d75d50c33295555555ecb462555bb28a3225964f49714ec69f2096c67feae96ca89b38aa0b776b8345057

    • C:\Windows\System32\msiexec.exe

      Filesize

      1.3MB

      MD5

      43551f6c1c973b48cff22f1bfe17105b

      SHA1

      aaa7447b8a2632165adc6c8f7e3e454dd173b1c7

      SHA256

      80b48eb696351d94f56be4e3962f0802124dd1f52de9b774f31c1def99780d84

      SHA512

      6d57a03c46065b05bdc102618b3311922be45e15ab9b8e82ee50695d2c0c868c80bc58fdc8c18773e62379fe2a549fd1406ff6759a23aeeec06e6c47433b87ab

    • C:\Windows\System32\vds.exe

      Filesize

      1.7MB

      MD5

      f62f5b1d4f5727a8a90b2cc34b484448

      SHA1

      368867c4c4a7c306ab7d108e92d1c2825b4b33b3

      SHA256

      9330786212386f9c0366438911b97ccd9200bf4634eb6d885366958e9b28d7e3

      SHA512

      c4d877858a31f3b2c877ddd62aa7f4459e8bf78c52d57093ad7509a63c4d31584fc5115ea9a1606146a57592585e757e5b3a1817c1fcd125d1f6ec0c9cadd705

    • C:\Windows\ehome\ehrecvr.exe

      Filesize

      1.2MB

      MD5

      3c8b7b544cfcf2b43344fb1fcb1e74cc

      SHA1

      0e8da883fd99f5dab1cae1ddf0baeddcd701281f

      SHA256

      4c8186e726bad530d451345b1deda9bd857d8b73b2eba0b8cbfdd078051b80a4

      SHA512

      8098e6fa31cf0131d7d42376c874bea7c542e2d645df69d5f0504011896b970d18dd27ac627d6eccbfea2f4d2e44bad84cab837af8f0b9d02bf00960847c4303

    • C:\Windows\ehome\ehsched.exe

      Filesize

      1.3MB

      MD5

      8e94b85b7dc322f503f6ee5c9469d04a

      SHA1

      155133a1a808e0ffc02679a4b103672f3739bcb8

      SHA256

      a5f37e5f5b05826af4842dd1a124f09a69dbbf8c7ef8da5e372d8cb99752e21d

      SHA512

      b2da8e8008b95ddf858e3a65d18616715314423f6b8b21a69b1246c956c6a26e95c5d0beddfbb3d8118ad55968fd8b96541a01a5ff5377a2f4d6b4848c71f6bf

    • C:\Windows\system32\fxssvc.exe

      Filesize

      1.2MB

      MD5

      b6d6f3fa5f7a59dcb549b5fcd5438a5d

      SHA1

      686321ef77a80151165eea64dc488e1c76bb635d

      SHA256

      a75b5ad4dc0a10182daa5f3e82dfa15ff36ffc9995404d82fdf433fd0e8b71d5

      SHA512

      cb04556061a6db188e06972da17b658bf96db0591595f1cf3748cfe01211b31fb19b53d6320b4d646dfea409be0353d6654c88d06322a7f8e1261c6000c77904

    • \Program Files\Windows Media Player\wmpnetwk.exe

      Filesize

      2.0MB

      MD5

      88675a314cad44bc2d04d4d23d94ed95

      SHA1

      5869bb6a10300c89292dd5f9e72e078d47fa388f

      SHA256

      9755073b3fb4f5c2c95472df42af0d25f28634eefd6f951050fb5b8cbc7fc853

      SHA512

      3c63b643c39beebfe37aab3a2f46080a39eea13140486fd6682e6adb2ad58d8d3d5287b1eddc49f3d971b44c640e1216c43eaa74e22ee7ed70dc0eceab2dc75d

    • \Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

      Filesize

      1.2MB

      MD5

      649cc25532fdc588ed49966742a7e9fe

      SHA1

      43175a0f20f09e33f2e124f108a98873b49698fd

      SHA256

      6b520684c5f1db9402a6f1d1611e9e9109d1944c07d5457838a537bd26ce76b5

      SHA512

      04719bcf207b9fb5f0fc2dcb30b6cf7b1109a80931d65b514e909606d12511411a083b4bd2fa6d64fdd777baeec3c3f7723b9a5642c7c51cb4b8689ded195ad2

    • \Windows\System32\Locator.exe

      Filesize

      1.2MB

      MD5

      f5a77b215da42c6b7e0a11c3c9e28525

      SHA1

      814956df805529fdb361b9d58dffcaaeac12fe93

      SHA256

      3ac581f10a1ee3cf24522962049b1617b71371192e84daffc48c31ffa1cfc87e

      SHA512

      09aa62dc5b19a30a4bfddcb63e8fa0a612958c77c0dbd16315461d6907d5e01d6f4eb2dedb992a486e4f4c0220caf9fffcba80a782f3dd51e1131ab6492987bf

    • \Windows\System32\alg.exe

      Filesize

      1.3MB

      MD5

      dd88ca85efd6fa0633a42eddac795ea8

      SHA1

      17b68e2a10eebab9f981a951994e786490cce2cd

      SHA256

      cb8f2de25fb1feffcef4fcdc4aa5ba39bfd83b126323dddaec2fdc836f0af253

      SHA512

      305086012b0bedc271d230c863d6c1e5fceafe368d1c6f44f5f8008ddb169083ee1dea36b9866e5a7e6e7ac68f9318e04b9a4b3e575c3c933455f5e0322e0f3d

    • \Windows\System32\dllhost.exe

      Filesize

      1.2MB

      MD5

      5cffe2146d04aa99330cfa4240012624

      SHA1

      ff50fa4f3a6798b095d17ef77371e8c408376d97

      SHA256

      ceff6a1e8d4a4c0956047fa772a91dfaa52a16d06dc105e037db2f344f39f6ee

      SHA512

      ef00b26937540e78862f886a4a5f4e7a767527798c4e1761792017fd69a39d7c50cf972c858edaa8e6bcc0884d4fcd33f7ae34a8cbd3e3845bdedc7f1d0a598b

    • \Windows\System32\snmptrap.exe

      Filesize

      1.2MB

      MD5

      22e9cd10608184071cf774e34640010b

      SHA1

      5b489389718dd148571b7bab16c612c175d57662

      SHA256

      03e3c33db2a0805dabfa55b1a15579278caf3512b2dff7871db6ee219a45954a

      SHA512

      f746d0f430039bd2e9c355778df4522bd170231b1dd420d8554d18a6c74b64b864cec0c5c26341fdca3b033008856e73c01e71a467273d11af5833c4f249965c

    • \Windows\System32\wbem\WmiApSrv.exe

      Filesize

      1.4MB

      MD5

      296bb58e53879ff387138af42b40106f

      SHA1

      dc1d17b21ee887d0ff3d289a90eaa6594ab0bae2

      SHA256

      df0bc1bd7d0ee12337b3354c8b6a1e7383a7094b754edd21554e52e5d3a34dc3

      SHA512

      b1cedbb2a249c3405158bb30498bbb76fc69355897258604d5f3aff9e58d82ad328ec73fd1675c769a68afdfe91087edfa6f66b03ba726f5d92b6566396af17a

    • \Windows\System32\wbengine.exe

      Filesize

      2.0MB

      MD5

      11b44ee0abebaabb2fb33820f87783f3

      SHA1

      178480a84c0c2b6d3a6a95cf0bddcfa08e27d987

      SHA256

      efb7d74be0b0536a817f6cc6d51ac579e15782cebe1effb3684f653af6e81e3e

      SHA512

      c9a6b343a3c6dd5861291b19f9dc10c58af68fc79ed5a516f18d4e2a5e130ef27a89d253551f30cc31c3f50538a2402e595d93db6587228bac05dda41ec2f2ba

    • memory/604-96-0x0000000000170000-0x00000000001D0000-memory.dmp

      Filesize

      384KB

    • memory/604-155-0x0000000140000000-0x00000001401F1000-memory.dmp

      Filesize

      1.9MB

    • memory/604-88-0x0000000140000000-0x00000001401F1000-memory.dmp

      Filesize

      1.9MB

    • memory/1028-275-0x0000000000490000-0x00000000004F0000-memory.dmp

      Filesize

      384KB

    • memory/1028-269-0x0000000100000000-0x00000001001D4000-memory.dmp

      Filesize

      1.8MB

    • memory/1236-192-0x0000000000690000-0x0000000000881000-memory.dmp

      Filesize

      1.9MB

    • memory/1236-185-0x0000000100000000-0x00000001001F1000-memory.dmp

      Filesize

      1.9MB

    • memory/1236-206-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

    • memory/1236-249-0x0000000100000000-0x00000001001F1000-memory.dmp

      Filesize

      1.9MB

    • memory/1236-252-0x0000000000690000-0x0000000000881000-memory.dmp

      Filesize

      1.9MB

    • memory/1244-156-0x0000000000BC0000-0x0000000000C20000-memory.dmp

      Filesize

      384KB

    • memory/1244-147-0x0000000140000000-0x0000000140209000-memory.dmp

      Filesize

      2.0MB

    • memory/1244-146-0x0000000000BC0000-0x0000000000C20000-memory.dmp

      Filesize

      384KB

    • memory/1244-178-0x0000000000BC0000-0x0000000000C20000-memory.dmp

      Filesize

      384KB

    • memory/1244-176-0x0000000140000000-0x0000000140209000-memory.dmp

      Filesize

      2.0MB

    • memory/1656-164-0x0000000140000000-0x00000001401F5000-memory.dmp

      Filesize

      2.0MB

    • memory/1656-244-0x0000000140000000-0x00000001401F5000-memory.dmp

      Filesize

      2.0MB

    • memory/1656-173-0x0000000000840000-0x00000000008A0000-memory.dmp

      Filesize

      384KB

    • memory/1828-132-0x00000000009D0000-0x0000000000A37000-memory.dmp

      Filesize

      412KB

    • memory/1828-205-0x000000002E000000-0x000000002FE1E000-memory.dmp

      Filesize

      30.1MB

    • memory/1828-137-0x00000000009D0000-0x0000000000A37000-memory.dmp

      Filesize

      412KB

    • memory/1828-139-0x000000002E000000-0x000000002FE1E000-memory.dmp

      Filesize

      30.1MB

    • memory/2024-12-0x0000000000820000-0x0000000000880000-memory.dmp

      Filesize

      384KB

    • memory/2024-14-0x0000000100000000-0x00000001001E3000-memory.dmp

      Filesize

      1.9MB

    • memory/2024-86-0x0000000100000000-0x00000001001E3000-memory.dmp

      Filesize

      1.9MB

    • memory/2024-19-0x0000000000820000-0x0000000000880000-memory.dmp

      Filesize

      384KB

    • memory/2068-300-0x0000000100000000-0x00000001001D5000-memory.dmp

      Filesize

      1.8MB

    • memory/2080-6-0x00000000021D0000-0x0000000002237000-memory.dmp

      Filesize

      412KB

    • memory/2080-0-0x00000000021D0000-0x0000000002237000-memory.dmp

      Filesize

      412KB

    • memory/2080-73-0x0000000000400000-0x0000000000940000-memory.dmp

      Filesize

      5.2MB

    • memory/2080-1-0x0000000000400000-0x0000000000940000-memory.dmp

      Filesize

      5.2MB

    • memory/2300-125-0x0000000000A90000-0x0000000000B10000-memory.dmp

      Filesize

      512KB

    • memory/2300-187-0x0000000000A90000-0x0000000000B10000-memory.dmp

      Filesize

      512KB

    • memory/2300-123-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

      Filesize

      9.6MB

    • memory/2300-189-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

      Filesize

      9.6MB

    • memory/2300-184-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

      Filesize

      9.6MB

    • memory/2300-157-0x0000000000A90000-0x0000000000B10000-memory.dmp

      Filesize

      512KB

    • memory/2300-239-0x0000000000A90000-0x0000000000B10000-memory.dmp

      Filesize

      512KB

    • memory/2300-126-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

      Filesize

      9.6MB

    • memory/2300-250-0x0000000000A90000-0x0000000000B10000-memory.dmp

      Filesize

      512KB

    • memory/2308-122-0x00000000003B0000-0x0000000000410000-memory.dmp

      Filesize

      384KB

    • memory/2308-116-0x00000000003B0000-0x0000000000410000-memory.dmp

      Filesize

      384KB

    • memory/2308-127-0x0000000140000000-0x00000001401ED000-memory.dmp

      Filesize

      1.9MB

    • memory/2328-230-0x0000000000400000-0x00000000005E7000-memory.dmp

      Filesize

      1.9MB

    • memory/2328-241-0x0000000000860000-0x00000000008C7000-memory.dmp

      Filesize

      412KB

    • memory/2328-247-0x00000000724C0000-0x0000000072BAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2328-295-0x0000000000400000-0x00000000005E7000-memory.dmp

      Filesize

      1.9MB

    • memory/2372-218-0x0000000100000000-0x0000000100542000-memory.dmp

      Filesize

      5.3MB

    • memory/2372-243-0x0000000100000000-0x0000000100542000-memory.dmp

      Filesize

      5.3MB

    • memory/2372-305-0x0000000000530000-0x0000000000590000-memory.dmp

      Filesize

      384KB

    • memory/2372-235-0x0000000000530000-0x0000000000590000-memory.dmp

      Filesize

      384KB

    • memory/2372-259-0x0000000073268000-0x000000007327D000-memory.dmp

      Filesize

      84KB

    • memory/2372-279-0x0000000100000000-0x0000000100542000-memory.dmp

      Filesize

      5.3MB

    • memory/2412-248-0x0000000001000000-0x00000000011D5000-memory.dmp

      Filesize

      1.8MB

    • memory/2492-103-0x00000000001E0000-0x0000000000240000-memory.dmp

      Filesize

      384KB

    • memory/2492-172-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

    • memory/2492-110-0x00000000001E0000-0x0000000000240000-memory.dmp

      Filesize

      384KB

    • memory/2492-104-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

    • memory/2548-208-0x000000002E000000-0x000000002E1F4000-memory.dmp

      Filesize

      2.0MB

    • memory/2548-274-0x000000002E000000-0x000000002E1F4000-memory.dmp

      Filesize

      2.0MB

    • memory/2608-63-0x0000000140000000-0x00000001401ED000-memory.dmp

      Filesize

      1.9MB

    • memory/2608-131-0x0000000140000000-0x00000001401ED000-memory.dmp

      Filesize

      1.9MB

    • memory/2720-54-0x0000000010000000-0x00000000101DE000-memory.dmp

      Filesize

      1.9MB

    • memory/2720-28-0x0000000010000000-0x00000000101DE000-memory.dmp

      Filesize

      1.9MB

    • memory/2744-37-0x0000000010000000-0x00000000101E6000-memory.dmp

      Filesize

      1.9MB

    • memory/2744-60-0x0000000010000000-0x00000000101E6000-memory.dmp

      Filesize

      1.9MB

    • memory/2836-97-0x0000000140000000-0x00000001401DC000-memory.dmp

      Filesize

      1.9MB

    • memory/2836-25-0x0000000140000000-0x00000001401DC000-memory.dmp

      Filesize

      1.9MB

    • memory/2892-71-0x0000000000170000-0x00000000001D0000-memory.dmp

      Filesize

      384KB

    • memory/2892-89-0x0000000001380000-0x0000000001390000-memory.dmp

      Filesize

      64KB

    • memory/2892-99-0x0000000001430000-0x0000000001431000-memory.dmp

      Filesize

      4KB

    • memory/2892-75-0x0000000140000000-0x000000014013C000-memory.dmp

      Filesize

      1.2MB

    • memory/2892-90-0x0000000001390000-0x00000000013A0000-memory.dmp

      Filesize

      64KB

    • memory/2892-162-0x0000000001430000-0x0000000001431000-memory.dmp

      Filesize

      4KB

    • memory/2892-80-0x0000000000170000-0x00000000001D0000-memory.dmp

      Filesize

      384KB

    • memory/2892-141-0x0000000140000000-0x000000014013C000-memory.dmp

      Filesize

      1.2MB

    • memory/2952-52-0x00000000006B0000-0x0000000000717000-memory.dmp

      Filesize

      412KB

    • memory/2952-47-0x00000000006B0000-0x0000000000717000-memory.dmp

      Filesize

      412KB

    • memory/2952-46-0x0000000000400000-0x00000000005E7000-memory.dmp

      Filesize

      1.9MB

    • memory/2952-113-0x0000000000400000-0x00000000005E7000-memory.dmp

      Filesize

      1.9MB