Analysis

  • max time kernel
    7s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 13:48

General

  • Target

    c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe

  • Size

    2.4MB

  • MD5

    c1779426d93c21f8a8225ae0771a41c0

  • SHA1

    3f6db29296d972691a377d1ca600dad1934a6ffb

  • SHA256

    5b6ddc64b4f2d59e0d119fc8790852b47dc0b7c2f17da35ac540a512a70f529c

  • SHA512

    b22ee5dd946bb6317cbbade882ea2d78ef5d9a7300707fcb2aa6ffd1f2e389f32e7dbf0b3de6e984f9b2cddafb11bd1635538cc31d21f8a045b778db2af058e8

  • SSDEEP

    49152:UHyjtk2MYC5GDNHyjtk2MYC5GDJHyjtk2MYC5GDHnanWn9:Umtk2asmtk2aImtk2aInanWn9

Malware Config

Signatures

  • Detect Neshta payload 64 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 38 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
            C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
              "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
              6⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:3004
              • C:\Windows\svchost.com
                "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE"
                7⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                PID:2692
            • C:\ProgramData\Synaptics\Synaptics.exe
              "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2772
              • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                7⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:1692
                • C:\Windows\svchost.com
                  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • Suspicious use of WriteProcessMemory
                  PID:580
                  • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
                    C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    PID:560
                    • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
                      "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
                      10⤵
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      PID:2152
                      • C:\Windows\svchost.com
                        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in Windows directory
                        PID:900
                        • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                          C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Adds Run key to start application
                          PID:1888
                          • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                            "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                            13⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            PID:2856
                            • C:\Windows\svchost.com
                              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
                              14⤵
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              PID:2496
                              • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
                                C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
                                15⤵
                                • Executes dropped EXE
                                PID:2788
                          • C:\ProgramData\Synaptics\Synaptics.exe
                            "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                            13⤵
                            • Executes dropped EXE
                            PID:2456
                            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                              14⤵
                                PID:580
                                • C:\Windows\svchost.com
                                  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
                                  15⤵
                                    PID:320
                                    • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
                                      C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
                                      16⤵
                                        PID:768
                                        • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
                                          "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
                                          17⤵
                                            PID:840
                                            • C:\Windows\svchost.com
                                              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
                                              18⤵
                                                PID:2152
                                                • C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
                                                  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
                                                  19⤵
                                                    PID:2744
                                                    • C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE
                                                      "C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate
                                                      20⤵
                                                        PID:2412
                                                        • C:\Windows\svchost.com
                                                          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE" InjUpdate
                                                          21⤵
                                                            PID:1240
                                                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE
                                                              C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE InjUpdate
                                                              22⤵
                                                                PID:2056
                                      • C:\ProgramData\Synaptics\Synaptics.exe
                                        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                        10⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:804
                                        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                          11⤵
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          PID:2708
                                          • C:\Windows\svchost.com
                                            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
                                            12⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Drops file in Windows directory
                                            PID:1984
                                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
                                              C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
                                              13⤵
                                              • Executes dropped EXE
                                              PID:2924
                                              • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
                                                "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
                                                14⤵
                                                  PID:2228
                                                  • C:\Windows\svchost.com
                                                    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
                                                    15⤵
                                                      PID:2352
                                                      • C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
                                                        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
                                                        16⤵
                                                          PID:2544
                                                          • C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE
                                                            "C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate
                                                            17⤵
                                                              PID:2408
                                                              • C:\Windows\svchost.com
                                                                "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE" InjUpdate
                                                                18⤵
                                                                  PID:3004
                                                                  • C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE
                                                                    C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE InjUpdate
                                                                    19⤵
                                                                      PID:1548
                                    • C:\ProgramData\Synaptics\Synaptics.exe
                                      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                      3⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of WriteProcessMemory
                                      PID:2512
                                      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                        4⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:1648
                                        • C:\Windows\svchost.com
                                          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in Windows directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:2832
                                          • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
                                            C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Adds Run key to start application
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:832
                                            • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
                                              "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
                                              7⤵
                                              • Executes dropped EXE
                                              • Drops file in Windows directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:1776
                                              • C:\Windows\svchost.com
                                                "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                                8⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in Windows directory
                                                PID:1144
                                                • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                                  C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                                  9⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Adds Run key to start application
                                                  PID:2016
                                                  • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                    "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                                    10⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Drops file in Windows directory
                                                    PID:2648
                                                    • C:\Windows\svchost.com
                                                      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
                                                      11⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Drops file in Windows directory
                                                      PID:1192
                                                      • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
                                                        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
                                                        12⤵
                                                        • Executes dropped EXE
                                                        PID:1292
                                                  • C:\ProgramData\Synaptics\Synaptics.exe
                                                    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                    10⤵
                                                    • Executes dropped EXE
                                                    PID:2692
                                                    • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                                      11⤵
                                                        PID:1152
                                                        • C:\Windows\svchost.com
                                                          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
                                                          12⤵
                                                            PID:988
                                                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
                                                              C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
                                                              13⤵
                                                                PID:1396
                                                                • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
                                                                  "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
                                                                  14⤵
                                                                    PID:312
                                                                    • C:\Windows\svchost.com
                                                                      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
                                                                      15⤵
                                                                        PID:2136
                                                                        • C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
                                                                          C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
                                                                          16⤵
                                                                            PID:1156
                                                                            • C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE
                                                                              "C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate
                                                                              17⤵
                                                                                PID:2320
                                                                                • C:\Windows\svchost.com
                                                                                  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE" InjUpdate
                                                                                  18⤵
                                                                                    PID:1912
                                                                                    • C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE
                                                                                      C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE InjUpdate
                                                                                      19⤵
                                                                                        PID:1256
                                                              • C:\ProgramData\Synaptics\Synaptics.exe
                                                                "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                7⤵
                                                                • Executes dropped EXE
                                                                PID:1864
                                                              • C:\Windows\svchost.com
                                                                "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" InjUpdate
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Drops file in Windows directory
                                                                PID:692
                                                                • C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE
                                                                  C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE InjUpdate
                                                                  8⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  PID:1600
                                                                  • C:\Users\Admin\AppData\Local\Temp\._cache_SYNAPT~1.EXE
                                                                    "C:\Users\Admin\AppData\Local\Temp\._cache_SYNAPT~1.EXE" InjUpdate
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • Drops file in Windows directory
                                                                    PID:2756
                                                                    • C:\Windows\svchost.com
                                                                      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
                                                                      10⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Drops file in Windows directory
                                                                      PID:1932
                                                                      • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
                                                                        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
                                                                        11⤵
                                                                        • Executes dropped EXE
                                                                        PID:1928
                                                                        • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                                          "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
                                                                          12⤵
                                                                            PID:576
                                                                            • C:\Windows\svchost.com
                                                                              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate
                                                                              13⤵
                                                                                PID:2872
                                                                                • C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
                                                                                  C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate
                                                                                  14⤵
                                                                                    PID:1676
                                                        • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
                                                          "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                          1⤵
                                                          • Enumerates system info in registry
                                                          • Modifies Internet Explorer settings
                                                          • Modifies registry class
                                                          • Suspicious behavior: AddClipboardFormatListener
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1448
                                                        • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
                                                          "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                          1⤵
                                                          • Enumerates system info in registry
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2932

                                                        Network

                                                        MITRE ATT&CK Matrix ATT&CK v13

                                                        Persistence

                                                        Event Triggered Execution

                                                        1
                                                        T1546

                                                        Change Default File Association

                                                        1
                                                        T1546.001

                                                        Boot or Logon Autostart Execution

                                                        1
                                                        T1547

                                                        Registry Run Keys / Startup Folder

                                                        1
                                                        T1547.001

                                                        Privilege Escalation

                                                        Event Triggered Execution

                                                        1
                                                        T1546

                                                        Change Default File Association

                                                        1
                                                        T1546.001

                                                        Boot or Logon Autostart Execution

                                                        1
                                                        T1547

                                                        Registry Run Keys / Startup Folder

                                                        1
                                                        T1547.001

                                                        Defense Evasion

                                                        Modify Registry

                                                        3
                                                        T1112

                                                        Credential Access

                                                        Unsecured Credentials

                                                        1
                                                        T1552

                                                        Credentials In Files

                                                        1
                                                        T1552.001

                                                        Discovery

                                                        System Information Discovery

                                                        2
                                                        T1082

                                                        Query Registry

                                                        1
                                                        T1012

                                                        Collection

                                                        Data from Local System

                                                        1
                                                        T1005

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
                                                          Filesize

                                                          859KB

                                                          MD5

                                                          02ee6a3424782531461fb2f10713d3c1

                                                          SHA1

                                                          b581a2c365d93ebb629e8363fd9f69afc673123f

                                                          SHA256

                                                          ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

                                                          SHA512

                                                          6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

                                                        • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
                                                          Filesize

                                                          547KB

                                                          MD5

                                                          cf6c595d3e5e9667667af096762fd9c4

                                                          SHA1

                                                          9bb44da8d7f6457099cb56e4f7d1026963dce7ce

                                                          SHA256

                                                          593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

                                                          SHA512

                                                          ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

                                                        • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
                                                          Filesize

                                                          186KB

                                                          MD5

                                                          58b58875a50a0d8b5e7be7d6ac685164

                                                          SHA1

                                                          1e0b89c1b2585c76e758e9141b846ed4477b0662

                                                          SHA256

                                                          2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

                                                          SHA512

                                                          d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

                                                        • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
                                                          Filesize

                                                          1.1MB

                                                          MD5

                                                          566ed4f62fdc96f175afedd811fa0370

                                                          SHA1

                                                          d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

                                                          SHA256

                                                          e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

                                                          SHA512

                                                          cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

                                                        • C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
                                                          Filesize

                                                          285KB

                                                          MD5

                                                          831270ac3db358cdbef5535b0b3a44e6

                                                          SHA1

                                                          c0423685c09bbe465f6bb7f8672c936e768f05a3

                                                          SHA256

                                                          a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

                                                          SHA512

                                                          f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

                                                        • C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
                                                          Filesize

                                                          313KB

                                                          MD5

                                                          8c4f4eb73490ca2445d8577cf4bb3c81

                                                          SHA1

                                                          0f7d1914b7aeabdb1f1e4caedd344878f48be075

                                                          SHA256

                                                          85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

                                                          SHA512

                                                          65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

                                                        • C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
                                                          Filesize

                                                          569KB

                                                          MD5

                                                          eef2f834c8d65585af63916d23b07c36

                                                          SHA1

                                                          8cb85449d2cdb21bd6def735e1833c8408b8a9c6

                                                          SHA256

                                                          3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

                                                          SHA512

                                                          2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

                                                        • C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
                                                          Filesize

                                                          381KB

                                                          MD5

                                                          3ec4922dbca2d07815cf28144193ded9

                                                          SHA1

                                                          75cda36469743fbc292da2684e76a26473f04a6d

                                                          SHA256

                                                          0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

                                                          SHA512

                                                          956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

                                                        • C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
                                                          Filesize

                                                          137KB

                                                          MD5

                                                          e1833678885f02b5e3cf1b3953456557

                                                          SHA1

                                                          c197e763500002bc76a8d503933f1f6082a8507a

                                                          SHA256

                                                          bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

                                                          SHA512

                                                          fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

                                                        • C:\ProgramData\Synaptics\RCX367B.tmp
                                                          Filesize

                                                          753KB

                                                          MD5

                                                          02897faa98bb7b124155dc43b1504d57

                                                          SHA1

                                                          a09167f95ca0327fceaebae3438d244baeaecbe8

                                                          SHA256

                                                          610c75b1ae3062f4896bf0fb822036de8d04402fc4267955aec1d1d04993743d

                                                          SHA512

                                                          05f48e90a5eb7c00b78c659a95925a31a534c55bd38f8b62c854c6266390036ee934f6d9f11ac32a7be476875d52a3e7a9562f3f8f3e31fa8bc2addee78a1c0e

                                                        • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
                                                          Filesize

                                                          918KB

                                                          MD5

                                                          1f2d31de738d923eb7d41f0c98706b8c

                                                          SHA1

                                                          d1ea22a446f9a72727c4fbfd8f4efa9ce8d9d9fe

                                                          SHA256

                                                          297ecec2de8c1a5ceb6c282122b399a71e9afdbd2bbe8a64221016f0537eedc6

                                                          SHA512

                                                          6e1e79cb9a62f800a789eaabedd089838253c546b72b1caec483160a515637723778a6039847dfb8083d795def49216f7ba9cdd3ddc4abb73938dd0a3ee19929

                                                        • C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
                                                          Filesize

                                                          878KB

                                                          MD5

                                                          a8469ddf986bcb4f537fc485c54f978b

                                                          SHA1

                                                          0702f0ae7439eb364529ecfc20b02bd29d6ceaa9

                                                          SHA256

                                                          0bfc09be218031d20af69113ae93f523b3c36e5433f17b930ad5855ed8a0bc19

                                                          SHA512

                                                          e8ba54557042264e86a4bc7523981db7d9bb87a6afadc9a7423f9e1b7180839c0392b3a6fc6da0ed424b4d09bd45654cc5a422598458664dd14f8df4c5835817

                                                        • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
                                                          Filesize

                                                          1.6MB

                                                          MD5

                                                          e930adc587d1844dfeba862f8e2400ce

                                                          SHA1

                                                          8cb7df27da77b1144478333701e2f58460d70e13

                                                          SHA256

                                                          626978116cd621e2bde6915f8e04883bf2aaa925eeb724ea6587e94d119245df

                                                          SHA512

                                                          b07ef9c7fa33f587a57b7733bb774d53e986e8e2bd28496f28c89541500e0e24b8e98ccbff7082f0bf1e5bc3d7b8991cacd2269c75057be38cb6002ad0885a97

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          57B

                                                          MD5

                                                          56abc40d1e45c091d8afddb90a4ce6b4

                                                          SHA1

                                                          08db549484467b32b79958700300cabefc659848

                                                          SHA256

                                                          a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

                                                          SHA512

                                                          51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          57B

                                                          MD5

                                                          6b3bfceb3942a9508a2148acbee89007

                                                          SHA1

                                                          3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

                                                          SHA256

                                                          e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

                                                          SHA512

                                                          fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          35B

                                                          MD5

                                                          10320b53df6530a542f13adf5f36d39a

                                                          SHA1

                                                          386dd879a3e1176b0c91328ce8254174e4220569

                                                          SHA256

                                                          9c4249eb6a5603fcc10a8c8c3c4d8f028a98ebcd9179c0836faacf1d03a48ce7

                                                          SHA512

                                                          c8007820db892b374dee1e6917c6caa4981d3f230ffc11d6753951ff46861ee4b0035544b3309b3008a2a769266639ce45ebc023b1748730cf0cf67844a065d6

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          92B

                                                          MD5

                                                          21d4ea9de48032aaf048ee7b6a32199e

                                                          SHA1

                                                          6103e4da901ef085be832c783e35b77fed850b00

                                                          SHA256

                                                          5beb53e3fff94531257affda6d616ce3c589cb5c366b4fb1580bff8ce9468b53

                                                          SHA512

                                                          131044994427c79b0d700ba8e63ce4ef954439603d063bda3797015d1a9cd89c4f0a57cca62afee31313a2fbcb5f4bd2e64f6bd7311a39f49508dbaa38d1f198

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          92B

                                                          MD5

                                                          27b81f62272c4fb29d767dcc7c54c4ad

                                                          SHA1

                                                          4a7b9dd9c6e3cb6d1d9ed951f72852b7009b7aff

                                                          SHA256

                                                          ece9360499614dc21a8647ab5b5c9f7d6516f7e27278a1cd8cdcadd984c0d3b1

                                                          SHA512

                                                          64b0a19341af5a2c1d6616930ec3d487b696f03f710111ef0a10ed95fa82e58ee6289006d281f646c67def44ce56d5d574664d8906e0a3de5725b95a7ff44ba2

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          92B

                                                          MD5

                                                          c4388baf1b613f8cf2dd0b8ceb366cc0

                                                          SHA1

                                                          4dddb68a6b17cb998f79aa33474cb19c03517519

                                                          SHA256

                                                          854a0aaccbdac572fc47ad16327158b08d24d1ab7980183df2119755882a638f

                                                          SHA512

                                                          c199f136b5427f4357aa2e124c0d9186c2378a549c89ea9454218b741ede23e7e1ac6f07d2afce1fd30599a564828d5ef91fa65d3795a7a9ecf7d30006c8e3b2

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          92B

                                                          MD5

                                                          50f9540e92cf29209f78b355a43d1b90

                                                          SHA1

                                                          8abcaab03e674ea2809493e7b877510c8d3a26cc

                                                          SHA256

                                                          a80262da854cfc312ba1ab8e9b563f50c7fff642aa3cb10f4c39f6007d57ba3f

                                                          SHA512

                                                          b76e8239ab638ab8ca81f4bb065a6113931a53bf0b441513482d3553cc64ba13f84233faa280be6b0212465b94c099feef19a4dd6e294542f7ea88d6c49f3b7f

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          92B

                                                          MD5

                                                          a02f4e4e38e7216dfb30fd12b4705a54

                                                          SHA1

                                                          087b04d108c83eff19e9ad7a83a0ebe956cdeb5c

                                                          SHA256

                                                          4d2cea730594f9a6635d1e777b09e753c9243afeabf9d310e40c9a9bb19abce8

                                                          SHA512

                                                          ac6ce4182f608fc03f774a7d5c04965de7497c136c230f384b078391ad97adeddfda4626d10caabf5c2055b220f2fe83c3fbe25ceb7f361ac790fc3a18f8ddf9

                                                        • C:\Windows\directx.sys
                                                          Filesize

                                                          65B

                                                          MD5

                                                          48666032bcbce70055a4b8477879c103

                                                          SHA1

                                                          080069095e146772bae92f4281c9a8245b4bce69

                                                          SHA256

                                                          4476a30a9745e1ce4ff339c4d4e3fea9be5dc2238e4b74f4106c24f14f3d88f4

                                                          SHA512

                                                          88488a7545aa2225864c3ccbeb41edeada19402131f34cae7d4981612efb868f7ba071dded738299e1a6dd9b081bcc43eb3921d6d6c3e453597a3f02af4b18b3

                                                        • C:\Windows\svchost.com
                                                          Filesize

                                                          40KB

                                                          MD5

                                                          795dec5bafd15c555abfede51795b91b

                                                          SHA1

                                                          f16953ae5c96220776d37b971ba00a191c4b083c

                                                          SHA256

                                                          d0e01f71c109b1c9ab478d5da4e1dd393d524aabfb4bfabedcc8940d70a41e2a

                                                          SHA512

                                                          37484352af113d6a874f0a32ada106589e789b0784400004c973915601abe5d0fb3f42a52711bd4259d03468f2ffa89c3a849d89575464d3aef079f656c4e6d8

                                                        • \??\PIPE\srvsvc
                                                          MD5

                                                          d41d8cd98f00b204e9800998ecf8427e

                                                          SHA1

                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                          SHA256

                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                          SHA512

                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                        • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
                                                          Filesize

                                                          252KB

                                                          MD5

                                                          9e2b9928c89a9d0da1d3e8f4bd96afa7

                                                          SHA1

                                                          ec66cda99f44b62470c6930e5afda061579cde35

                                                          SHA256

                                                          8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                                                          SHA512

                                                          2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

                                                        • \Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
                                                          Filesize

                                                          1.7MB

                                                          MD5

                                                          e55c49f2a991537646875937ca47effb

                                                          SHA1

                                                          7663b801a90a0458f5340735c4495a2d5ad0bd05

                                                          SHA256

                                                          d5883da8a53b0072eb6a2b85e8227f6d16639eaca1167cc5e240e616d18bbe00

                                                          SHA512

                                                          48560369845c5b3315de8e0c5821aee9ce97b3ec8c712c699f37c9294cfabb8a23f2d969a05a3b40a431d187ee836cddb259b367805b297ed7742cb410181ef0

                                                        • \Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
                                                          Filesize

                                                          2.4MB

                                                          MD5

                                                          2f80797c60331299f3d30144650ed45b

                                                          SHA1

                                                          707e60c90ea8defb5b52398abd3ce51a6f65cea1

                                                          SHA256

                                                          3f10b6b47789e3eff7b0f9b6e121fb9aa3e2b93786b891b01e1f23ad60d06f15

                                                          SHA512

                                                          a9257e4a83270e515c751e59966efea2fbd9de0d2585abf5f375a49512392593b9610e19d409bd29c015eeabb1c7cf687ceff6160ba0c3a984d9b7db5b1910f7

                                                        • memory/312-367-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/320-348-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/560-231-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/576-351-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/580-169-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/580-338-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/692-235-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/768-436-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/804-443-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/804-426-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/832-203-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/840-368-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/900-229-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/988-350-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1144-200-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1152-340-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1156-438-0x0000000000400000-0x00000000004E1000-memory.dmp
                                                          Filesize

                                                          900KB

                                                        • memory/1192-297-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1240-422-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1284-9-0x0000000000220000-0x0000000000221000-memory.dmp
                                                          Filesize

                                                          4KB

                                                        • memory/1284-60-0x0000000000400000-0x000000000066E000-memory.dmp
                                                          Filesize

                                                          2.4MB

                                                        • memory/1396-437-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/1448-222-0x000000005FFF0000-0x0000000060000000-memory.dmp
                                                          Filesize

                                                          64KB

                                                        • memory/1600-309-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/1648-117-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1692-144-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1776-149-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1888-242-0x0000000000400000-0x00000000004E1000-memory.dmp
                                                          Filesize

                                                          900KB

                                                        • memory/1912-414-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1928-434-0x0000000000400000-0x00000000004E1000-memory.dmp
                                                          Filesize

                                                          900KB

                                                        • memory/1932-315-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/1984-325-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2016-298-0x0000000000400000-0x00000000004E1000-memory.dmp
                                                          Filesize

                                                          900KB

                                                        • memory/2136-383-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2152-218-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2152-397-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2228-370-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2320-403-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2352-384-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2408-401-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2412-423-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2448-83-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/2456-432-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/2496-300-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2512-145-0x0000000000400000-0x000000000066E000-memory.dmp
                                                          Filesize

                                                          2.4MB

                                                        • memory/2544-440-0x0000000000400000-0x00000000004E1000-memory.dmp
                                                          Filesize

                                                          900KB

                                                        • memory/2576-63-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2636-425-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2636-442-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2648-283-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2692-433-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/2692-105-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2708-317-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2744-439-0x0000000000400000-0x00000000004E1000-memory.dmp
                                                          Filesize

                                                          900KB

                                                        • memory/2756-280-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2772-148-0x0000000000400000-0x000000000066E000-memory.dmp
                                                          Filesize

                                                          2.4MB

                                                        • memory/2832-138-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2844-424-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2844-441-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2856-291-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2872-357-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/2924-435-0x0000000000400000-0x00000000005A8000-memory.dmp
                                                          Filesize

                                                          1.7MB

                                                        • memory/3004-97-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB

                                                        • memory/3004-415-0x0000000000400000-0x000000000041B000-memory.dmp
                                                          Filesize

                                                          108KB