quasar | f0c179b8db5374fa9c4ef639b24bbc363cc99843bfaef5709db2dfb716ce26ba

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atikmdag-patcher-1.4.14/atikmdag-patcher.exe
Size

3.0MB
MD5

0e1cb5a76b5ed8013332712c9be3c61a
SHA1

b71e495ba56e1674ad202251dfa906767f011f86
SHA256

d98c1c6860f88f670d6a2bcce2736cc7294d88c9ca55d3b9306e784c5f336d37
SHA512

afb6346855cea9309f58c2c1c2ed89a0ef1a679209e75509e922477571b038349484789f4bd179446629b15e4034625bbbc43ff064cce124d52f27933391907a
SSDEEP

49152:Rdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEj9333cSP:CHDYsqiPRhINnq95FoHVB9333cO

Score

10^/10

quasar redline office infostealer spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

135.181.235.186:2424

Mutex

vLjWia7oT7CKQjEfGEyguygtygygg

Attributes

encryption_key
YwwSXy4xT39hdTVPGX0J
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5112-181-0x00000000003B0000-0x00000000003FE000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4224-203-0x0000000001360000-0x0000000001388000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

atikmdag-patcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	atikmdag-patcher.exe

Executes dropped EXE 9 IoCs

Processes:

hBZdvpB.exeYrEQwtM.exeatikmdag-patcher.exeEngine.exeEngine.exeWe.exe.pifWindows.exe.pifjsc.exejsc.exe

pid process

2616 hBZdvpB.exe
4324 YrEQwtM.exe
3844 atikmdag-patcher.exe
4652 Engine.exe
3664 Engine.exe
3948 We.exe.pif
4684 Windows.exe.pif
5112 jsc.exe
4224 jsc.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com

pid	process
2616	hBZdvpB.exe
4324	YrEQwtM.exe
3844	atikmdag-patcher.exe
4652	Engine.exe
3664	Engine.exe
3948	We.exe.pif
4684	Windows.exe.pif
5112	jsc.exe
4224	jsc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

flow	ioc
42	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

atikmdag-patcher.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\hBZdvpB.exe	atikmdag-patcher.exe
File opened for modification	C:\Windows\SysWOW64\YrEQwtM.exe	atikmdag-patcher.exe
File created	C:\Windows\SysWOW64\is-F3F6F.tmp	atikmdag-patcher.exe
File created	C:\Windows\SysWOW64\is-2M1ER.tmp	atikmdag-patcher.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows.exe.pifWe.exe.pif

description	pid	process	target process
PID 4684 set thread context of 5112	4684	Windows.exe.pif	jsc.exe
PID 3948 set thread context of 4224	3948	We.exe.pif	jsc.exe

Drops file in Program Files directory 2 IoCs

Processes:

atikmdag-patcher.exe

description	ioc	process
File created	C:\Program Files (x86)\My Program\is-E46QU.tmp	atikmdag-patcher.exe
File opened for modification	C:\Program Files (x86)\My Program\atikmdag-patcher.exe	atikmdag-patcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4620 schtasks.exe

pid	process
4620	schtasks.exe

Modifies registry class 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{1836E7DE-6BB2-473A-9E09-7FEF78471F25}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{0906E203-E0A6-475A-A853-8846B0EAB2A2}	svchost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1096 PING.EXE
2184 PING.EXE

pid	process
1096	PING.EXE
2184	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

atikmdag-patcher.exepowershell.exepowershell.exepowershell.exepowershell.exeWindows.exe.pifWe.exe.pif

pid	process
3012	atikmdag-patcher.exe
3012	atikmdag-patcher.exe
4952	powershell.exe
4952	powershell.exe
3768	powershell.exe
3768	powershell.exe
4952	powershell.exe
3768	powershell.exe
3768	powershell.exe
4952	powershell.exe
1332	powershell.exe
1332	powershell.exe
1612	powershell.exe
1612	powershell.exe
1332	powershell.exe
1612	powershell.exe
1612	powershell.exe
1332	powershell.exe
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
3948	We.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
3948	We.exe.pif
3948	We.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
3948	We.exe.pif
3948	We.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif
4684	Windows.exe.pif

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	5112	jsc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

atikmdag-patcher.exeWindows.exe.pifWe.exe.pif

pid process

3012 atikmdag-patcher.exe
4684 Windows.exe.pif
3948 We.exe.pif
4684 Windows.exe.pif
3948 We.exe.pif
4684 Windows.exe.pif
3948 We.exe.pif
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Windows.exe.pifWe.exe.pif

pid process

4684 Windows.exe.pif
3948 We.exe.pif
4684 Windows.exe.pif
3948 We.exe.pif
4684 Windows.exe.pif
3948 We.exe.pif
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeOpenWith.exejsc.exe

pid process

5008 OpenWith.exe
1732 OpenWith.exe
5112 jsc.exe

pid	process
4684	Windows.exe.pif
3948	We.exe.pif
4684	Windows.exe.pif
3948	We.exe.pif
4684	Windows.exe.pif
3948	We.exe.pif

pid	process
5008	OpenWith.exe
1732	OpenWith.exe
5112	jsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

atikmdag-patcher.exeatikmdag-patcher.exehBZdvpB.exeYrEQwtM.exeEngine.exeEngine.execmd.execmd.execmd.execmd.exeWindows.exe.pif

description	pid	process	target process
PID 400 wrote to memory of 3012	400	atikmdag-patcher.exe	atikmdag-patcher.exe
PID 400 wrote to memory of 3012	400	atikmdag-patcher.exe	atikmdag-patcher.exe
PID 400 wrote to memory of 3012	400	atikmdag-patcher.exe	atikmdag-patcher.exe
PID 3012 wrote to memory of 2616	3012	atikmdag-patcher.exe	hBZdvpB.exe
PID 3012 wrote to memory of 2616	3012	atikmdag-patcher.exe	hBZdvpB.exe
PID 3012 wrote to memory of 2616	3012	atikmdag-patcher.exe	hBZdvpB.exe
PID 3012 wrote to memory of 4324	3012	atikmdag-patcher.exe	YrEQwtM.exe
PID 3012 wrote to memory of 4324	3012	atikmdag-patcher.exe	YrEQwtM.exe
PID 3012 wrote to memory of 4324	3012	atikmdag-patcher.exe	YrEQwtM.exe
PID 3012 wrote to memory of 3844	3012	atikmdag-patcher.exe	atikmdag-patcher.exe
PID 3012 wrote to memory of 3844	3012	atikmdag-patcher.exe	atikmdag-patcher.exe
PID 3012 wrote to memory of 3844	3012	atikmdag-patcher.exe	atikmdag-patcher.exe
PID 2616 wrote to memory of 4652	2616	hBZdvpB.exe	Engine.exe
PID 2616 wrote to memory of 4652	2616	hBZdvpB.exe	Engine.exe
PID 2616 wrote to memory of 4652	2616	hBZdvpB.exe	Engine.exe
PID 4324 wrote to memory of 3664	4324	YrEQwtM.exe	Engine.exe
PID 4324 wrote to memory of 3664	4324	YrEQwtM.exe	Engine.exe
PID 4324 wrote to memory of 3664	4324	YrEQwtM.exe	Engine.exe
PID 3664 wrote to memory of 4796	3664	Engine.exe	cmd.exe
PID 3664 wrote to memory of 4796	3664	Engine.exe	cmd.exe
PID 3664 wrote to memory of 4796	3664	Engine.exe	cmd.exe
PID 4652 wrote to memory of 336	4652	Engine.exe	cmd.exe
PID 4652 wrote to memory of 336	4652	Engine.exe	cmd.exe
PID 4652 wrote to memory of 336	4652	Engine.exe	cmd.exe
PID 4796 wrote to memory of 3604	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 3604	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 3604	4796	cmd.exe	cmd.exe
PID 336 wrote to memory of 628	336	cmd.exe	cmd.exe
PID 336 wrote to memory of 628	336	cmd.exe	cmd.exe
PID 336 wrote to memory of 628	336	cmd.exe	cmd.exe
PID 628 wrote to memory of 4952	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 4952	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 4952	628	cmd.exe	powershell.exe
PID 3604 wrote to memory of 3768	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 3768	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 3768	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 1612	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 1612	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 1612	3604	cmd.exe	powershell.exe
PID 628 wrote to memory of 1332	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 1332	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 1332	628	cmd.exe	powershell.exe
PID 3604 wrote to memory of 2448	3604	cmd.exe	findstr.exe
PID 3604 wrote to memory of 2448	3604	cmd.exe	findstr.exe
PID 3604 wrote to memory of 2448	3604	cmd.exe	findstr.exe
PID 628 wrote to memory of 2908	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 2908	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 2908	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 3948	628	cmd.exe	We.exe.pif
PID 628 wrote to memory of 3948	628	cmd.exe	We.exe.pif
PID 628 wrote to memory of 3948	628	cmd.exe	We.exe.pif
PID 3604 wrote to memory of 4684	3604	cmd.exe	Windows.exe.pif
PID 3604 wrote to memory of 4684	3604	cmd.exe	Windows.exe.pif
PID 3604 wrote to memory of 4684	3604	cmd.exe	Windows.exe.pif
PID 628 wrote to memory of 2184	628	cmd.exe	PING.EXE
PID 628 wrote to memory of 2184	628	cmd.exe	PING.EXE
PID 628 wrote to memory of 2184	628	cmd.exe	PING.EXE
PID 3604 wrote to memory of 1096	3604	cmd.exe	PING.EXE
PID 3604 wrote to memory of 1096	3604	cmd.exe	PING.EXE
PID 3604 wrote to memory of 1096	3604	cmd.exe	PING.EXE
PID 4684 wrote to memory of 4620	4684	Windows.exe.pif	schtasks.exe
PID 4684 wrote to memory of 4620	4684	Windows.exe.pif	schtasks.exe
PID 4684 wrote to memory of 4620	4684	Windows.exe.pif	schtasks.exe
PID 4684 wrote to memory of 5112	4684	Windows.exe.pif	jsc.exe

C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe
"C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe
"C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe" /VERYSILENT
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\hBZdvpB.exe
"C:\Windows\SysWOW64\hBZdvpB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\SETUP_27873\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\Engine.exe /TH_ID=_4084 /OriginExe="C:\Windows\SysWOW64\hBZdvpB.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Previews
5⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^rollsBeingsBalanceNathanTaxesMasonNascarComparisonsSpywareFishContractorAndale$" Cvs
7⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\yjgddm1j.wap\6301\We.exe.pif
6301\\We.exe.pif 6301\\S
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3948

C:\Users\Admin\AppData\Local\Temp\yjgddm1j.wap\6301\jsc.exe
C:\Users\Admin\AppData\Local\Temp\yjgddm1j.wap\6301\jsc.exe
8⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 18
7⤵
- Runs ping.exe
PID:2184

C:\Windows\SysWOW64\YrEQwtM.exe
"C:\Windows\SysWOW64\YrEQwtM.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\SETUP_28484\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\Engine.exe /TH_ID=_3320 /OriginExe="C:\Windows\SysWOW64\YrEQwtM.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Precisely
5⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^COXAMPOPTIONSREQUESTINGNRVARYINGCELTICBELFASTTERRITORIESEXCITINGRETIREDPOTATOES$" Perfectly
7⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\pb2yy1gj.hdm\6301\Windows.exe.pif
6301\\Windows.exe.pif 6301\\T
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "ZwwYdEouSU" /tr "C:\Users\Admin\AppData\Roaming\gEVcnFsUec\ZwwYdEouSU.exe.com C:\Users\Admin\AppData\Roaming\gEVcnFsUec\u" /sc onlogon /F /RL HIGHEST
8⤵
- Creates scheduled task(s)
PID:4620

C:\Users\Admin\AppData\Local\Temp\pb2yy1gj.hdm\6301\jsc.exe
C:\Users\Admin\AppData\Local\Temp\pb2yy1gj.hdm\6301\jsc.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 18
7⤵
- Runs ping.exe
PID:1096

C:\Program Files (x86)\My Program\atikmdag-patcher.exe
"C:\Program Files (x86)\My Program\atikmdag-patcher.exe"
3⤵
- Executes dropped EXE
PID:3844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\atikmdag-patcher.exe
Filesize
90KB

MD5
ce53dcf26c43eb08e70e220bb69419f6

SHA1
fda92e8cbd1b37c9ed277190d70153ff73c6bc05

SHA256
575df9c65e0251572372226e6323068e2c17adbbcba91bb5adc22f2f653db7ba

SHA512
88f96ed7ed056aa49103ae331a928023463aa6e8f4548f8df2f9e4c7610a9f6d3cf12c5ccedc0ddd8c57e4a386e7236081c4b83d41702cfeebfc65ece286c47e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0af652ef53919c92bebf5c0334707dcb

SHA1
c9a6203059a56c97a6e096ff7a34824b57929372

SHA256
d92974427922d977080fb6b3446fdd6ee2e287f257235ee9e3fec256e9bb2390

SHA512
844eb16224e87ef3203ec653d40263e42fbcaad72aa64c7f53fdd5839cbab2c92687e5d1c4b640cb15f28bef223fb66d7345464213e779d61cd69e51e83e7d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b681fcc329d0f3f2393b7e95cdc5e088

SHA1
5476c8660d81997cbc68e598eaa87db65ce0c171

SHA256
7b79dd1d02c1a6d577275069e015bc920ebffb9d38f6cb23029df59d434c1184

SHA512
8645f42e41531cf5455f6b886ae2d9a04d03adae2cbf6302078c3b2c251e3248a2e9a794a8548068cd28cad9982e8d27bb8b0118c3388e786ea9656a79d2211c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00000#Bite
Filesize
42KB

MD5
d745e133ff1ea1d217903c5aabef9637

SHA1
fef4d7c8dbe311bab2923b42ee1ac4a936f3f128

SHA256
e7407e177c0cba5540a496be92a1fd959e8f66f7d47a2bec13afda3a8ee8d1e5

SHA512
6ffec7da2a34b3cf114d8e3b1792dd81a7946aa604d04d63a073d84bfef78aff54a77e4e67d11fa576c4853d0f35ebc791008067302cb0ee60bc9b06c82ba331

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00001#Bulk
Filesize
101KB

MD5
71d2bf059a3f96ac434c840d2bd098d6

SHA1
69fd1a7862adc15bb123ee7f8095ee468dc8c93c

SHA256
7ec5b1b32de39bd974be6c9d61dcccbe1be62049dcc0852e7877cd2447824700

SHA512
1a5971054a49dba3c45d89c37c05ea748f0b8fb0983ef1f019a7cc20bd25cb480fc5c24e9ff5bff7e33ee078e83a8ee25090e46dc2766c90ec2b669a47fbe788

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00002#Dealers
Filesize
16KB

MD5
4673203f0d39b3248c6c7a2113b7aa04

SHA1
9d373531d1fa1628807eeb082723b0e50ed1af22

SHA256
056720e48ce001d91c3bbe91c99478d5436b268f893b663ce634a1d162653a65

SHA512
8b288c0e065e0b9593146af0781e1017b6a86619946240a54ec892af9757d86b79237414c193e90e7002f20a19fe63a612afc9fbe9797a4a818f4c680537e8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00003#Detect
Filesize
126KB

MD5
e204dc973a685c24e25e00656b361d71

SHA1
dc9ad6d3fad85de04261a870684eb00256d873c0

SHA256
f0c9d7aa9dac185767070495cd426acbd9a102ae1ff4384eeb1e8ac9d52741c5

SHA512
0cc1601f66481b4544dec055ab83a6f3158a75e8286d6697675b5e4bd5872c5cf85d70b68c9da80d261bc9660e4d928a7a29fde19f5c881d5795aeb995fcbd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00004#Donor
Filesize
184KB

MD5
867084940a427d04c8ec9e3ad3452c57

SHA1
e1cdcb4bf61f501eb88e889145dee55251af2832

SHA256
15b4e96137175ddb6dde83c497b2733b8785ed0f681e3a423ed6e160c31ea5f3

SHA512
47c56e27e8b130aaa4e1dcb7bea70a47289f96a10d42de15611c748c6036b7f1112b94430dc6bcac35dc3966a0540f2a3919165aa29e05c5786bf5d3b8d89106

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00005#Japanese
Filesize
864KB

MD5
ca8044779d7a38f0e055575bce3915db

SHA1
6fbf28d82b94ecc4306b3c0455b26ace1fa4c9d1

SHA256
285fd523c84f7f1c7d9ff6acec417fa99db11fd7da303adb615a76ff7f77b08f

SHA512
38d89c7f12aee964c90b1e1baec7cd317db87b257cea56ed6760dbd4a486efffe43414c9339ad86a97a4bb881713df67ed7d8e06e07a1d4a2bc9069c44d1db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00006#Latinas
Filesize
169KB

MD5
9fed134ecc9779b8fbc2e4c450d4780a

SHA1
494132e19fe90148c50a8ae6e1958834196dde96

SHA256
a4f4edfea481a65f48759c0cec9e2b6a671ea0770a81fef5ed95dc833bc5e516

SHA512
ada6b494206d494b1d798260d5560371221af8f1671d3ece1cb6f5aac55e9cb25375cdf82c7497acb641bc8e2ee9fcde44f281fb4ec9fd3b0cc3ad18382dbae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00007#Previews
Filesize
14KB

MD5
d7004cd275de49047354e222cc4749eb

SHA1
ba509cced14ed2342fa508d6a1d2a67975e40cca

SHA256
34cd0a9546cbb3fb3623ee5d31d7ea62d8ea2e208a92738623519c440df96ec5

SHA512
2cb1dc35d28bb8178788608b65998a411df0cf887b2f6eac361aa74956e4c450f74c107068c40c2dbfeeeaad69bff2eb4f1924c0b960c0420c088f5e96bf96c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00008#Projectors
Filesize
112KB

MD5
6214213b79e139f48f78991499a57e2f

SHA1
4f7dfdc18fc5af6b7b895d2e640e6845d8f2a849

SHA256
2a8f6961e603942cabbd288d3e3344e146d99dae8322cc0299895598a7c845ea

SHA512
203d069011f8bc02a45fa7b9b697d1bc65e398d053f61ea5e54f8f3bc39110f6bcfc59cfb1aa6c5016b28e9d04ad5bc6604f83f787dba3a4be188b6bce8a2086

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00009#Qc
Filesize
137KB

MD5
2ca041e085ab05ca41fd963608d1ad6f

SHA1
a299f767f708ef3a48f871734f3102ef84674a22

SHA256
3be08d24d3c661c7a47d46f6f2de17151058c06deb5c631628111ce02aab1eb2

SHA512
34547b1ca8d9e4ddbc70dc3f34ff4458e4a4edb03a9d6bbad46e4f39bfb6129c60d1aa5b6faf9f08a72c41dd77e76602b9518b5c9d5f9ef18566c1dd450a457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00010#Remember
Filesize
30KB

MD5
da686b91c847b7f336017736ae76fca3

SHA1
d59f5476406e3c54ceaf671b850382d61d30df85

SHA256
fec87bf98df248ea4f2143505dd95db512a6ff02f7ccd7444cdf9b3fb8aa8c27

SHA512
d2a9bfb4b3985fe0ea3a525152f48f43b2cfe9179904fb52f585e7e05dc41c1c697417062fcb05bfdbd0ce037a17d2e48917337ebea243609a75550883ada9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\00011#Without
Filesize
8KB

MD5
4bb7f019f8a94d595a113a8aeb9f163d

SHA1
530ca3ce5a0c7d17c392de34899b6391f81c0d2d

SHA256
4c198e6bababda389eba02f7f99fc6f4d067cfc29895c29ac1a47d7970daf52c

SHA512
429a8b9081abcb7214432a93eb4de7b706f4f9cb6a578cdb489ddf5c2806395fc0704eb7f35674976cc68dfa33318f32c4655b73b1a31e1e0e877c495b8c4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\Engine.exe
Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27873\Setup.txt
Filesize
2KB

MD5
9a612f8a07535018ef183eacdf492a6e

SHA1
a7c491b44dd5ffb3d507087e5e92719753409eec

SHA256
eb6da6d8064df193bbd10b96e292f11254a59bab18f6246bba83db3f9af9d0bb

SHA512
56b9a18c4b08fe3b7554f7ebb523aa755639f77d572b32fd72d72fa51cdb44d75813bf06512770730c71f004583ef8272a18415b6b97cda7b6eedba6d063b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00000#Am
Filesize
124KB

MD5
f76c4ad0cc42df6ccbcfedce064c3977

SHA1
e60c13ec874e02c085498d84a00c8e9e5d4dc64c

SHA256
8b70729d66c66eab88adb1473a7ec55bb529fa3a38fcb77ec16992b8b0de909f

SHA512
e5c537cfb3b38841d6ac7e176cfcef0bd2decd5993477d442b3caf27f174ad2b507d8469620ee8cb4849ada707be7ff24a1c75ef97e7330066006f32fe7b10e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00001#Cdna
Filesize
78KB

MD5
cb46fd6dfc98c4413b7e3f42b2e40db9

SHA1
429f5ee1ce87c7c51dcf2e762800c37b25e7bfaa

SHA256
42d0b452f48ded5a464bb8e55461f8c92f75d3b1e4a9e928dfdd99fb78915291

SHA512
3026c1b9521eab4a41eb4a2565d3dd69feef356b6fc5ba12385d929be05ea15ee8b4397b68cef5b052904f5ad7137d41833db25476c4df1f8aef71fbc60dcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00002#Evaluate
Filesize
176KB

MD5
7961448ff6fac5cec81cf283350b9693

SHA1
a1fd5dd676a21c766be34926428d82aadf92a57f

SHA256
13a45d7ca1dd69876673e4c8d34ac62c4de37e36c3a769ce286d2f5a6815b540

SHA512
2ccda81cbfdaf24d6173eaf92ba3f8d5f0ed5dfa8489f045d0caea2b9395c304e53b8e9113ce5b3e85ddfa3e11baeda9754ff5c038ded7aa6165c6af271e734b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00003#Magnitude
Filesize
115KB

MD5
5d613730feddd5c253e252787802e92e

SHA1
17e8fa0f261b20c98044ac38d1237a691a6c0217

SHA256
d1886b9c29cde06fb672a9b7e96f0354b5a49edbac96d372553a78c3205ecc70

SHA512
89e7d2eb6ff2883f2a0a04fb8526698765b861929833e9bb508cf3f03223fad2ef1bce4b5be2ac009a245d2e420e6c7760eeb5e46c43948bc38b766e22867c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00004#Precisely
Filesize
13KB

MD5
99957525701ee08ae59bf996215f63d1

SHA1
e6a64934ac9668484099dcc14ff1891f9fe6e264

SHA256
a5c0229284989a4f6976470f788be59586b58bbd5ca25e21a90a29d0f7331158

SHA512
04eeef1a0d018c1fc01ddd1a6d7247395a86317b19e527ea16656028ceb2b5bf5d59331cc0414c23ea370903f92d6df46af22fe8bdcdb4af0f3025708c84654d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00005#Preference
Filesize
195KB

MD5
0d41524b6be8cd69bba4714a7c25a76f

SHA1
5bbaaf84fe22cdc67c9b69777ecdfeb94fd6a0ef

SHA256
a10572ef89db5443fb9828a80a5226d06e3d70b9aa358ca042d006d4cad15ae0

SHA512
285c46356f946e35cc0cf28a3148dbd3e2f5f19764449407da041f756f0c9c4f5a928727eabecda87eeeb8b403d20a584a214e1dc67c44cac8c94691af48c008

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00006#Remind
Filesize
46KB

MD5
3c09c4617a836187b3d34b1f730f8fb8

SHA1
10fb6f8459e094f7523d43cb275112bc2e3378d1

SHA256
0f55c8546a6389cd710eb3d54d74997eef8822f72d845988c7b422ec89891044

SHA512
2113a0028a2814f926ea937a5139c96de6603e68bfdc293f5e58a0e7a297db9a3502ef121b7fce08644b144156ec0ae59e677896e45d7e4a35182a991729ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00007#Summer
Filesize
1014KB

MD5
1073797e74a5c605496f0dce3a83f4e3

SHA1
e506feed4b7d2b82f1ce9237d4285537f8af85f1

SHA256
2f9dede430c44d89ca8d7af68bd449907d16c4b58f6b9a9ad4b128e1f80ec0b7

SHA512
4471023b29d0712f29e2fda3cec410138ecc3c618d68c600390367917651ed6cacc54ab5d07ac03f61b29245496524f976580394633508608a734102c30938b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\00008#Threats
Filesize
191KB

MD5
200190a98d6e54c4dc55a7b404fd4773

SHA1
877a800165fa7c7693d843dd33f557fc28f7981b

SHA256
13c8f82b7c683e999315ac67147e4bab1e5916f731ae074b849624c2375cb17d

SHA512
9ffe91e7fda076c53b64c44deacc4f97e9261638d29f7fe710f8af5e9d06ec3bc8f2dd911839f0d8fe71327a57014c18092b231a9334c6842514bb9c58df24da

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_28484\Setup.txt
Filesize
2KB

MD5
f617390b2c5758f04d4a37a5bdffbd9f

SHA1
ca1d0b150b53f783977736957a5ef5fa90103e76

SHA256
9850c9b21db66d62852b643008360a6eb919f6eac1d95d7f226d7915065733c4

SHA512
eaef590a298855ee95aab685db2bc4ede3689c7379c2c9d4e9ca92dfee2b6c6461fbd4f3c181effb95103a9997287d784c4b90f9e01f9787d8ee8858e6450c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk3ozaah.xho.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb2yy1gj.hdm\6301\jsc.exe
Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb2yy1gj.hdm\Perfectly
Filesize
925KB

MD5
96c7e45224eddbf2506ae92e05271f63

SHA1
b5c53b0c7a054ddd8d64d2386fbe7b09cc134a60

SHA256
3160fc1f9fbddef89d10e61bd365494e98f3134755052cdc476bfe08ab2fc5a9

SHA512
aab9f6e4695fd52658bb10ed0515762a6c7439137db23bfe4a9e96d11d9feb76583d5dd4301be0dea30498448c3d2f9ea59fbe4bdf9660c4647917464036b321

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjgddm1j.wap\6301\We.exe.pif
Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjgddm1j.wap\Cvs
Filesize
925KB

MD5
2cb7b11498cc0b9a1716421fb750b7d7

SHA1
a83b8234982e4f61cd790afd11600722effd2913

SHA256
8739e5961aa2bd418f3ba1bf18094a71e54a39fce3f4ca9a8250497f06330839

SHA512
93b6b187eccceb0cb8e77f2a928921fc05e4702f443b07c6db7434e7569c073e414472351509bcaf29bc566fe6afdcb47ea939d5ab94bdc0d878cdab3dd27095

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\SysWOW64\YrEQwtM.exe
Filesize
1.6MB

MD5
30fbbe1cdb80353c52e94025b9b29adc

SHA1
197778bca2ee774ef9878ac029c25174ee8a2da2

SHA256
8f31f716bc730e199bf246f9e5e5ee515ca81f4978502acc53e18c84b0ec5e06

SHA512
c6681e4af9b8f10899ee2a80544bd12c4ebf1769849203dbd40addffbb8b1696fda08df53fa7b212594850b44ea8dc74eb2fca6048da5bb98c8cc01cb94f8a64

Download Submit
C:\Windows\SysWOW64\hBZdvpB.exe
Filesize
1.4MB

MD5
37d6e901673da6b0ef2c6c574c3c1f7f

SHA1
fa2984c651e8f1f4ce61e78985d16ce353e05536

SHA256
f982f32f61f6d8960ff0e71e552862c7ccb6e17fefbb68cfb8473fbc5f020d42

SHA512
27147c600407d9bc30d65ddb30cf5e668883f4c80b354b5d4f77d5ee22c149ef4abb4453435ef3587b0a4475207d33841fea0dd226a94b6675944706f08534b9

Download Submit
memory/400-3-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/400-0-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1332-135-0x0000000005520000-0x0000000005874000-memory.dmp

Filesize
3.3MB

Download
memory/2616-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3012-23-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/3664-174-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3664-193-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3768-102-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/3768-125-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

Filesize
304KB

Download
memory/3768-129-0x0000000007280000-0x0000000007824000-memory.dmp

Filesize
5.6MB

Download
memory/3768-123-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/4224-209-0x0000000007F30000-0x0000000007F7C000-memory.dmp

Filesize
304KB

Download
memory/4224-208-0x0000000007E20000-0x0000000007F2A000-memory.dmp

Filesize
1.0MB

Download
memory/4224-207-0x00000000082A0000-0x00000000088B8000-memory.dmp

Filesize
6.1MB

Download
memory/4224-203-0x0000000001360000-0x0000000001388000-memory.dmp

Filesize
160KB

Download
memory/4324-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-173-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4652-192-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4952-124-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/4952-101-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/4952-100-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download
memory/4952-103-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4952-104-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/4952-127-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/4952-128-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/4952-126-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/5112-187-0x0000000004C60000-0x0000000004CF2000-memory.dmp

Filesize
584KB

Download
memory/5112-188-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/5112-189-0x0000000005FA0000-0x0000000005FDC000-memory.dmp

Filesize
240KB

Download
memory/5112-191-0x0000000006310000-0x000000000631A000-memory.dmp

Filesize
40KB

Download
memory/5112-181-0x00000000003B0000-0x00000000003FE000-memory.dmp

Filesize
312KB

Download