Overview

overview

10

Static

static

Multiple_Roblox.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    389s
  • max time network
    392s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-09-2022 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Multiple_Roblox.exe

  • Size

    1.1MB

  • MD5

    e9394b5a2bb4c120ddc7d3b5c93d9d37

  • SHA1

    057cddd651d813b8aa2cac6e75362d689971c1c0

  • SHA256

    859923d0cc1ba9258c4409fd194d6f166c23b988a9d4a490d3f14d9dcb74f353

  • SHA512

    6b235767a5c464b34c5cdf4aaead6388571f9cfe16c464372b2f9635d5e19bae2a7ccc8a77cf04d81518afbe2e4120b942ce881d2e207b03a3b13f724f03eec0

  • SSDEEP

    6144:ICVrw4RVJsp0oFP+dkM+i1g0UkCVrw4RVJsp0oFP+dkM+i1g0UdCVrw4RAJsp0oV:IgWCEEgWCE9gnCE

Score
10/10
redlineytstealermicrosoftdiscoveryinfostealerpersistencephishingransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note
User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note
WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and
URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes
  • auth_value

    ea069d64c780fc5379eeb0792909ac77

Signatures

  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 60 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Multiple_Roblox.exe
    "C:\Users\Admin\AppData\Local\Temp\Multiple_Roblox.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2532
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3412.0.2078845210\259187676" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1232 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3412 "\\.\pipe\gecko-crash-server-pipe.3412" 1608 gpu
        3⤵
          PID:4036
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3412.3.1838286769\1866468002" -childID 1 -isForBrowser -prefsHandle 2176 -prefMapHandle 2172 -prefsLen 122 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3412 "\\.\pipe\gecko-crash-server-pipe.3412" 2188 tab
          3⤵
            PID:3376
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3412.13.36769190\959918185" -childID 2 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 6904 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3412 "\\.\pipe\gecko-crash-server-pipe.3412" 3148 tab
            3⤵
              PID:4844
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3412.20.16727690\714775215" -parentBuildID 20200403170909 -prefsHandle 4724 -prefMapHandle 3400 -prefsLen 8456 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3412 "\\.\pipe\gecko-crash-server-pipe.3412" 4852 rdd
              3⤵
                PID:68
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x41c
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:836
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:5100
          • C:\Users\Admin\Downloads\winrar-x64-611.exe
            "C:\Users\Admin\Downloads\winrar-x64-611.exe"
            1⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            PID:2084
            • C:\Program Files\WinRAR\uninstall.exe
              "C:\Program Files\WinRAR\uninstall.exe" /setup
              2⤵
              • Modifies system executable filetype association
              • Executes dropped EXE
              • Registers COM server for autorun
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1608
          • C:\Program Files\WinRAR\WinRAR.exe
            "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Synapse x.rar"
            1⤵
            • Executes dropped EXE
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:4604
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:1304
            • C:\Program Files\WinRAR\WinRAR.exe
              "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Downloads\Synapse x.rar" "?\"
              1⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of FindShellTrayWindow
              PID:568
            • C:\Users\Admin\Downloads\winrar-x64-611.exe
              "C:\Users\Admin\Downloads\winrar-x64-611.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2924
            • C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe
              "C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2652
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:101616
                • C:\Users\Admin\AppData\Local\Temp\start.exe
                  "C:\Users\Admin\AppData\Local\Temp\start.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:5712
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell "" "Get-WmiObject Win32_PortConnector"
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:6044
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 97560
                2⤵
                • Program crash
                PID:101796
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:76204
            • C:\Users\Admin\Downloads\dxwebsetup.exe
              "C:\Users\Admin\Downloads\dxwebsetup.exe"
              1⤵
              • Executes dropped EXE
              • Adds Run key to start application
              PID:1888
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops desktop.ini file(s)
                • Enumerates connected drives
                • Drops file in System32 directory
                • Drops file in Windows directory
                PID:5124
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:6540
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:6900
            • C:\Windows\system32\srtasks.exe
              C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:7052
            • C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe
              "C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:7400
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:5924
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 97524
                2⤵
                • Program crash
                PID:6472
            • C:\Program Files\WinRAR\WinRAR.exe
              "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.zip"
              1⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              PID:8500

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\WinRAR\Rar.txt
              Filesize

              107KB

              MD5

              8933d6e810668af29d7ba8f1c3b2b9ff

              SHA1

              760cbb236c4ca6e0003582aaefd72ff8b1c872aa

              SHA256

              cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

              SHA512

              344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

              Download Submit

            • C:\Program Files\WinRAR\Uninstall.exe
              Filesize

              412KB

              MD5

              92667e28583a9489e3cf4f1a7fd6636e

              SHA1

              faa09990ba4daae970038ed44e3841151d6e7f28

              SHA256

              9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

              SHA512

              63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

              Download Submit

            • C:\Program Files\WinRAR\WhatsNew.txt
              Filesize

              95KB

              MD5

              d4c768c52ee077eb09bac094f4af8310

              SHA1

              c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

              SHA256

              8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

              SHA512

              5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

              Download Submit

            • C:\Program Files\WinRAR\WinRAR.chm
              Filesize

              314KB

              MD5

              81b236ef16aaa6a3936fd449b12b82a2

              SHA1

              698acb3c862c7f3ecf94971e4276e531914e67bc

              SHA256

              d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

              SHA512

              968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

              Download Submit

            • C:\Program Files\WinRAR\WinRAR.exe
              Filesize

              2.3MB

              MD5

              0b114fc0f4b6d49f57b3b01dd9ea6a8c

              SHA1

              23e1480c3ff3a54e712d759e9325d362bf52fabd

              SHA256

              f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

              SHA512

              e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

              Download Submit

            • C:\Program Files\WinRAR\WinRAR.exe
              Filesize

              2.3MB

              MD5

              0b114fc0f4b6d49f57b3b01dd9ea6a8c

              SHA1

              23e1480c3ff3a54e712d759e9325d362bf52fabd

              SHA256

              f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

              SHA512

              e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

              Download Submit

            • C:\Program Files\WinRAR\WinRAR.exe
              Filesize

              2.3MB

              MD5

              0b114fc0f4b6d49f57b3b01dd9ea6a8c

              SHA1

              23e1480c3ff3a54e712d759e9325d362bf52fabd

              SHA256

              f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

              SHA512

              e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

              Download Submit

            • C:\Program Files\WinRAR\WinRAR.exe
              Filesize

              2.3MB

              MD5

              0b114fc0f4b6d49f57b3b01dd9ea6a8c

              SHA1

              23e1480c3ff3a54e712d759e9325d362bf52fabd

              SHA256

              f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

              SHA512

              e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

              Download Submit

            • C:\Program Files\WinRAR\uninstall.exe
              Filesize

              412KB

              MD5

              92667e28583a9489e3cf4f1a7fd6636e

              SHA1

              faa09990ba4daae970038ed44e3841151d6e7f28

              SHA256

              9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

              SHA512

              63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
              Filesize

              2KB

              MD5

              226a4476a224b0441ffd610ddbceb8f9

              SHA1

              918bc2e3e05c9b4d6dc0fe6d2c185bbbffe7cbe7

              SHA256

              464f6b3f3dc24198153d50ae9f68e5d96e4f7c426418c845602f5823e7c96ce0

              SHA512

              3d8210774142852f164edbc603ed5bbdbc4e6ed211a3927e32239a5e1626c7f1330c674212fffbb1d60225d2c93fa94f849dd7867a44ff36c13b1776fed2bccb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
              Filesize

              93KB

              MD5

              984cad22fa542a08c5d22941b888d8dc

              SHA1

              3e3522e7f3af329f2235b0f0850d664d5377b3cd

              SHA256

              57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

              SHA512

              8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
              Filesize

              1.5MB

              MD5

              a5412a144f63d639b47fcc1ba68cb029

              SHA1

              81bd5f1c99b22c0266f3f59959dfb4ea023be47e

              SHA256

              8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

              SHA512

              2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.cif
              Filesize

              65KB

              MD5

              b36d3f105d18e55534ad605cbf061a92

              SHA1

              788ef2de1dea6c8fe1d23a2e1007542f7321ed79

              SHA256

              c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae

              SHA512

              35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
              Filesize

              173KB

              MD5

              7ed554b08e5b69578f9de012822c39c9

              SHA1

              036d04513e134786b4758def5aff83d19bf50c6e

              SHA256

              fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

              SHA512

              7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.inf
              Filesize

              12KB

              MD5

              e6a74342f328afa559d5b0544e113571

              SHA1

              a08b053dfd061391942d359c70f9dd406a968b7d

              SHA256

              93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

              SHA512

              1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
              Filesize

              56KB

              MD5

              7b1fbe9f5f43b2261234b78fe115cf8e

              SHA1

              dd0f256ae38b4c4771e1d1ec001627017b7bb741

              SHA256

              762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

              SHA512

              d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
              Filesize

              56KB

              MD5

              2c4d9e4773084f33092ced15678a2c46

              SHA1

              bad603d543470157effd4876a684b9cfd5075524

              SHA256

              ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a

              SHA512

              d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
              Filesize

              515KB

              MD5

              ac3a5f7be8cd13a863b50ab5fe00b71c

              SHA1

              eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

              SHA256

              8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

              SHA512

              c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
              Filesize

              477B

              MD5

              ad8982eaa02c7ad4d7cdcbc248caa941

              SHA1

              4ccd8e038d73a5361d754c7598ed238fc040d16b

              SHA256

              d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

              SHA512

              5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Setup.zip
              Filesize

              10.7MB

              MD5

              b82dba05f995a473fe37077e68fcd48c

              SHA1

              b53aea0f0fad45cf16de25358933bf40770b255a

              SHA256

              02359bab6bb25cc616a7b6e8221e432a59d23e06dbbd03c0194e8013646c0b82

              SHA512

              003d7e9dae82df49edc0c9fa6685bb21ea6eebc70bc41bc116aa4c323d73acb2e6a79490340676d64c03a0040a07280a40021912a0c0f748f7603441778e00d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\start.exe
              Filesize

              4.0MB

              MD5

              47b29465bb5fcbbd899f1d98af193f06

              SHA1

              ddd7c01b07939751f734c1e9b7aa17853447e02c

              SHA256

              a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

              SHA512

              838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\start.exe
              Filesize

              4.0MB

              MD5

              47b29465bb5fcbbd899f1d98af193f06

              SHA1

              ddd7c01b07939751f734c1e9b7aa17853447e02c

              SHA256

              a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

              SHA512

              838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zptz2arc.default-release\cookies.sqlite
              Filesize

              512KB

              MD5

              2c16cfbf768b46cb17ae994a54e7c1d8

              SHA1

              8c4f4e5df72d2d162925e9186b922520a2080d20

              SHA256

              e239e398c4dac275ebc1a705ac25476e48d1a614f9d38e273485a2bb30d7a52b

              SHA512

              b1b4ceefb229b0591c22d59c24ceb18fde8d02fc5f68d2990b42230c6b8cd7518d428d4f9d7e3ce81b56e8515ee4d79faeebf3d3efeab1d92920b27722492a8e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zptz2arc.default-release\cookies.sqlite
              Filesize

              512KB

              MD5

              3bda439772e4e27c1288891c03a3affa

              SHA1

              e13b1472c5c7577d5a1f1c50d248bf39090ad29d

              SHA256

              ddd101f1c6e2873d68d4276240ff22050b36671599348bb04ae80e693cf62f04

              SHA512

              ec949c3befef2eaf65a5278eab53c357c08469741e03713aae4053c18445fa6590da0d30bab401c0cb2459da0f4df0f5daa7bde519c7cc5d0fbd64847661f1e5

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zptz2arc.default-release\cookies.sqlite
              Filesize

              512KB

              MD5

              4b0fa98be04349579ea8d7b1dc4a68de

              SHA1

              fc0fa8d40b6b784740964509aaaa11807d1a8cd8

              SHA256

              ac8ade1e6074a0ef05a3156fa090d5f60c1f2a4c9cfe1523418e7807fac1a595

              SHA512

              0e58bd469b5c91acd9541cc611a85ba54428dbdb927ffe007ff3391e1bba31d3505bdeb502c8639406825924bcd8f6faa5739f9ad442ef3ff51ab2776d1f46d6

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zptz2arc.default-release\cookies.sqlite-wal
              Filesize

              544KB

              MD5

              d5dafefa79fde232ce86ecbb6ca14d6d

              SHA1

              425cfa1e491d462381b4d34ded367831c21c26b0

              SHA256

              cc92ffc8a183e6d63a1100203078c26ad2353817cab4bb9157deac2119a6c3df

              SHA512

              1c6cb075fb62bef12f173bc66b50e8ab976926636932a328f7c43cbb51c624b921af1f3971ce6e748ceb7833281e978b66bef015a03d0cdd5b009292e9e5772d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
              Filesize

              12B

              MD5

              077e218f52a7e7b5b9226d268e6b9937

              SHA1

              31fd9cbcc930e82db22ecd02b1fffc03d6b335ca

              SHA256

              a753595a11ad046a97b39ae5204a0a2302d76b9324133ed43adf521d558262e1

              SHA512

              30248ff79f07873f51599e485bfa13daecbbff5e6a81d852fa7265ae181952f24af7df062f28a761bcac65717e9a25e29d6f5aae8c41d1c49e3a8bde13516977

              Download Submit

            • C:\Users\Admin\Downloads\Synapse x.rar
              Filesize

              226KB

              MD5

              e4af2284dfeaa12bc115b542ee085060

              SHA1

              35da507bf5c4f413c0a385122345d3ee1b9fe426

              SHA256

              abd7689f80474c53106777ca764db41c8f39a18991d7b39350738f2141865418

              SHA512

              5968865fa358903bdd8414f66e939fdc2390fed6a8ebcdaecd8c78ed05f6040b4c425813e4d87ff5a869f16692e7dbd09bf4fb1c4a606ef1b7c322dc8d280207

              Download Submit

            • C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe
              Filesize

              445KB

              MD5

              9ee68713f2a7cffe160e3fc1b446f61e

              SHA1

              1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab

              SHA256

              49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

              SHA512

              bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717

              Download Submit

            • C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe
              Filesize

              445KB

              MD5

              9ee68713f2a7cffe160e3fc1b446f61e

              SHA1

              1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab

              SHA256

              49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

              SHA512

              bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717

              Download Submit

            • C:\Users\Admin\Downloads\Synapse x\Synapse x\Synapse X.exe
              Filesize

              445KB

              MD5

              9ee68713f2a7cffe160e3fc1b446f61e

              SHA1

              1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab

              SHA256

              49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

              SHA512

              bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717

              Download Submit

            • C:\Users\Admin\Downloads\dxwebsetup.exe
              Filesize

              288KB

              MD5

              2cbd6ad183914a0c554f0739069e77d7

              SHA1

              7bf35f2afca666078db35ca95130beb2e3782212

              SHA256

              2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

              SHA512

              ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

              Download Submit

            • C:\Users\Admin\Downloads\dxwebsetup.exe
              Filesize

              288KB

              MD5

              2cbd6ad183914a0c554f0739069e77d7

              SHA1

              7bf35f2afca666078db35ca95130beb2e3782212

              SHA256

              2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

              SHA512

              ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

              Download Submit

            • C:\Users\Admin\Downloads\winrar-x64-611.exe
              Filesize

              3.3MB

              MD5

              8a6217d94e1bcbabdd1dfcdcaa83d1b3

              SHA1

              99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

              SHA256

              3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

              SHA512

              a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

              Download Submit

            • C:\Users\Admin\Downloads\winrar-x64-611.exe
              Filesize

              3.3MB

              MD5

              8a6217d94e1bcbabdd1dfcdcaa83d1b3

              SHA1

              99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

              SHA256

              3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

              SHA512

              a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

              Download Submit

            • C:\Users\Admin\Downloads\winrar-x64-611.exe
              Filesize

              3.3MB

              MD5

              8a6217d94e1bcbabdd1dfcdcaa83d1b3

              SHA1

              99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

              SHA256

              3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

              SHA512

              a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

              Download Submit

            • \??\c:\users\admin\appdata\local\temp\ixp000.tmp\dxwsetup.exe
              Filesize

              515KB

              MD5

              ac3a5f7be8cd13a863b50ab5fe00b71c

              SHA1

              eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

              SHA256

              8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

              SHA512

              c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

              Download Submit

            • \Program Files\WinRAR\RarExt.dll
              Filesize

              632KB

              MD5

              650a771d005941c7a23926011d75ad8f

              SHA1

              84b346acd006f21d7ffb8d5ea5937ec0ee3daa4f

              SHA256

              b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f

              SHA512

              4724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad

              Download Submit

            • \Program Files\WinRAR\RarExt.dll
              Filesize

              632KB

              MD5

              650a771d005941c7a23926011d75ad8f

              SHA1

              84b346acd006f21d7ffb8d5ea5937ec0ee3daa4f

              SHA256

              b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f

              SHA512

              4724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad

              Download Submit

            • \Users\Admin\AppData\Local\Temp\DXCF73.tmp\dxupdate.dll
              Filesize

              173KB

              MD5

              7ed554b08e5b69578f9de012822c39c9

              SHA1

              036d04513e134786b4758def5aff83d19bf50c6e

              SHA256

              fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

              SHA512

              7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\DXCF73.tmp\dxupdate.dll
              Filesize

              173KB

              MD5

              7ed554b08e5b69578f9de012822c39c9

              SHA1

              036d04513e134786b4758def5aff83d19bf50c6e

              SHA256

              fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

              SHA512

              7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\DXCF73.tmp\microsoft.directx.direct3dx.dll
              Filesize

              2.6MB

              MD5

              a73e7421449cca62b0561bad4c8ef23d

              SHA1

              cf51ca7d28fcdc79c215450fb759ffe9101b6cfe

              SHA256

              7986e3fbe05418fe5d8425f2f1b76b7a7b09952f3ec560b286dd744bf7178059

              SHA512

              63d24647ac5d0beb8f1284973927263cb6e05b4c399cda3912178114b42d541dd516c6d67a453ea997d9d0cd9126a1802678062f0951c2547e1b445ba50dfbe4

              Download Submit

            • \Users\Admin\AppData\Local\Temp\DXCF73.tmp\microsoft.directx.direct3dx.dll
              Filesize

              2.6MB

              MD5

              a73e7421449cca62b0561bad4c8ef23d

              SHA1

              cf51ca7d28fcdc79c215450fb759ffe9101b6cfe

              SHA256

              7986e3fbe05418fe5d8425f2f1b76b7a7b09952f3ec560b286dd744bf7178059

              SHA512

              63d24647ac5d0beb8f1284973927263cb6e05b4c399cda3912178114b42d541dd516c6d67a453ea997d9d0cd9126a1802678062f0951c2547e1b445ba50dfbe4

              Download Submit

            • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
              Filesize

              173KB

              MD5

              7ed554b08e5b69578f9de012822c39c9

              SHA1

              036d04513e134786b4758def5aff83d19bf50c6e

              SHA256

              fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

              SHA512

              7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
              Filesize

              173KB

              MD5

              7ed554b08e5b69578f9de012822c39c9

              SHA1

              036d04513e134786b4758def5aff83d19bf50c6e

              SHA256

              fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

              SHA512

              7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

              Download Submit

            • \Windows\SysWOW64\directx\websetup\dsetup.dll
              Filesize

              93KB

              MD5

              984cad22fa542a08c5d22941b888d8dc

              SHA1

              3e3522e7f3af329f2235b0f0850d664d5377b3cd

              SHA256

              57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

              SHA512

              8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

              Download Submit

            • \Windows\SysWOW64\directx\websetup\dsetup.dll
              Filesize

              93KB

              MD5

              984cad22fa542a08c5d22941b888d8dc

              SHA1

              3e3522e7f3af329f2235b0f0850d664d5377b3cd

              SHA256

              57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

              SHA512

              8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

              Download Submit

            • \Windows\SysWOW64\directx\websetup\dsetup32.dll
              Filesize

              1.5MB

              MD5

              a5412a144f63d639b47fcc1ba68cb029

              SHA1

              81bd5f1c99b22c0266f3f59959dfb4ea023be47e

              SHA256

              8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

              SHA512

              2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

              Download Submit

            • \Windows\SysWOW64\directx\websetup\dsetup32.dll
              Filesize

              1.5MB

              MD5

              a5412a144f63d639b47fcc1ba68cb029

              SHA1

              81bd5f1c99b22c0266f3f59959dfb4ea023be47e

              SHA256

              8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

              SHA512

              2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

              Download Submit

            • memory/2532-169-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-156-0x0000000005DB0000-0x00000000062AE000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/2532-172-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-173-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-174-0x00000000058C0000-0x00000000058CA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2532-175-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-176-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-177-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-178-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-170-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-139-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-138-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-137-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-168-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-136-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-135-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-134-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-133-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-132-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-167-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-166-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-165-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-131-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-164-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-163-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-162-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-147-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-148-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-149-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-150-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-145-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-171-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-161-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-140-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-121-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-141-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-144-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-151-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-122-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-152-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-142-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-123-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-124-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-125-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-126-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-143-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-160-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-159-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-158-0x0000000005950000-0x00000000059E2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2532-153-0x0000000000F60000-0x0000000001078000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2532-130-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-157-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-120-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-129-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-128-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-146-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-155-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-127-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2532-154-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2652-214-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2652-215-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2652-218-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2652-219-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2652-217-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2652-216-0x0000000077530000-0x00000000776BE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5712-925-0x0000000001120000-0x0000000001F32000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/5712-873-0x0000000001120000-0x0000000001F32000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/5712-901-0x0000000001120000-0x0000000001F32000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/5924-1072-0x0000000009460000-0x00000000094AB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/5924-1038-0x0000000000170000-0x0000000000190000-memory.dmp

              Filesize

              128KB

              Download

            • memory/6044-907-0x0000017018790000-0x00000170187B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/6044-913-0x0000017018950000-0x00000170189C6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/101616-343-0x000000000D470000-0x000000000D99C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/101616-342-0x000000000CD70000-0x000000000CF32000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/101616-328-0x000000000BDB0000-0x000000000BE00000-memory.dmp

              Filesize

              320KB

              Download

            • memory/101616-315-0x000000000BBF0000-0x000000000BC56000-memory.dmp

              Filesize

              408KB

              Download

            • memory/101616-313-0x000000000B080000-0x000000000B09E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/101616-311-0x000000000B000000-0x000000000B076000-memory.dmp

              Filesize

              472KB

              Download

            • memory/101616-301-0x00000000090D0000-0x000000000911B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/101616-299-0x0000000008E00000-0x0000000008E3E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/101616-288-0x000000000ADF0000-0x000000000AEFA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/101616-286-0x0000000009000000-0x0000000009012000-memory.dmp

              Filesize

              72KB

              Download

            • memory/101616-285-0x0000000009590000-0x0000000009B96000-memory.dmp

              Filesize

              6.0MB

              Download

            • memory/101616-221-0x0000000000150000-0x0000000000170000-memory.dmp

              Filesize

              128KB

              Download