aurora | 0097a6bdac122bd4eeea03142b319b96ed3977dac703d78ee98241c43bc2c2c0

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-02-2023 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Thunderbird Setup 102.7.1.exe
Size

51.3MB
MD5

84ba48f2552df6fde2c652510066bdb3
SHA1

aba83eced9fc26786e82857c413eaed8f9cc0fe7
SHA256

0097a6bdac122bd4eeea03142b319b96ed3977dac703d78ee98241c43bc2c2c0
SHA512

1ac079420b40bb24b2d703562aa632dddcc0dfbff95f3993559ab674f5dfa5ffb0837b63807ac7e0e46f5c244eb5e15dd65adc784817be972f333faa30547ea0
SSDEEP

786432:pZPTL7jZwLJ4SKREbNWWnKD2I5cMSWUKca5KWP1:pNjZwLKSKa22ucMSdKcasWP1

Score

10^/10

aurora babadeda crypter loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

79.137.133.225:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000142d3-77.dat	family_babadeda
behavioral1/memory/1568-139-0x0000000007930000-0x0000000008220000-memory.dmp	family_babadeda

Executes dropped EXE 2 IoCs

pid	Process
1164	cygwin-console-helper.exe
1568	SimpleMindPro.exe

Loads dropped DLL 55 IoCs

pid	Process
580	MsiExec.exe
1484	MsiExec.exe
1484	MsiExec.exe
1484	MsiExec.exe
1484	MsiExec.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe
1568	SimpleMindPro.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Review Assistant = "C:\\Users\\Admin\\AppData\\Local\\Image Comparer\\SimpleMindPro.exe"	SimpleMindPro.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\W:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\K:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\V:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\P:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\T:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\U:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\Z:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\R:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\G:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\I:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	Thunderbird Setup 102.7.1.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SimpleMindPro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	SimpleMindPro.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c1dbf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI236C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1dc1.ipi	msiexec.exe
File created	C:\Windows\Installer\6c1dbf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI206F.tmp	msiexec.exe
File created	C:\Windows\Installer\6c1dc1.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI348D.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\InprocServer32	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\ProgID\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\ProgID\ = "BCSRuntime.AssociationEntityInstanceReferencesDictionary.1"	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\win32	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\win64\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\Wpc.dll\\2"	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\HELPDIR\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\TypeLib\ = "{9330442C-86AC-6BD2-4729-409FB646F8C1}"	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\VersionIndependentProgID	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\FLAGS\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\"	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\TypeLib\	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\ProgID	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\InprocServer32\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSRuntime.dll"	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\ = "WPC private 1.0 Type Library"	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\win32\	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\FLAGS	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\TypeLib	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\VersionIndependentProgID\	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\ = "Cahawa.Ojihip.Ininako object"	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\Wpc.dll\\2"	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\0\win64	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\FLAGS\ = "0"	SimpleMindPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C295A292-724B-402E-A8A8-D0D317C04613}\VersionIndependentProgID\ = "BCSRuntime.AssociationEntityInstanceReferencesDictionary"	SimpleMindPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9330442C-86AC-6BD2-4729-409FB646F8C1}\1.0\HELPDIR	SimpleMindPro.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
684	msiexec.exe
684	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1568	SimpleMindPro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeSecurityPrivilege	684	msiexec.exe
Token: SeCreateTokenPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeAssignPrimaryTokenPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeLockMemoryPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeIncreaseQuotaPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeMachineAccountPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeTcbPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSecurityPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeTakeOwnershipPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeLoadDriverPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSystemProfilePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSystemtimePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeProfSingleProcessPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeIncBasePriorityPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreatePagefilePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreatePermanentPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeBackupPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeRestorePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeShutdownPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeDebugPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeAuditPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSystemEnvironmentPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeChangeNotifyPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeRemoteShutdownPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeUndockPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSyncAgentPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeEnableDelegationPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeManageVolumePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeImpersonatePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreateGlobalPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreateTokenPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeAssignPrimaryTokenPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeLockMemoryPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeIncreaseQuotaPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeMachineAccountPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeTcbPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSecurityPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeTakeOwnershipPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeLoadDriverPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSystemProfilePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSystemtimePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeProfSingleProcessPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeIncBasePriorityPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreatePagefilePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreatePermanentPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeBackupPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeRestorePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeShutdownPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeDebugPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeAuditPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSystemEnvironmentPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeChangeNotifyPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeRemoteShutdownPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeUndockPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeSyncAgentPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeEnableDelegationPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeManageVolumePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeImpersonatePrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreateGlobalPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeCreateTokenPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeAssignPrimaryTokenPrivilege	364	Thunderbird Setup 102.7.1.exe
Token: SeLockMemoryPrivilege	364	Thunderbird Setup 102.7.1.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
364	Thunderbird Setup 102.7.1.exe
1756	msiexec.exe
1756	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1568	SimpleMindPro.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 684 wrote to memory of 580	684	msiexec.exe	29
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 364 wrote to memory of 1756	364	Thunderbird Setup 102.7.1.exe	30
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1484	684	msiexec.exe	31
PID 684 wrote to memory of 1164	684	msiexec.exe	32
PID 684 wrote to memory of 1164	684	msiexec.exe	32
PID 684 wrote to memory of 1164	684	msiexec.exe	32
PID 684 wrote to memory of 1164	684	msiexec.exe	32
PID 684 wrote to memory of 1568	684	msiexec.exe	34
PID 684 wrote to memory of 1568	684	msiexec.exe	34
PID 684 wrote to memory of 1568	684	msiexec.exe	34
PID 684 wrote to memory of 1568	684	msiexec.exe	34
PID 1568 wrote to memory of 1936	1568	SimpleMindPro.exe	36
PID 1568 wrote to memory of 1936	1568	SimpleMindPro.exe	36
PID 1568 wrote to memory of 1936	1568	SimpleMindPro.exe	36
PID 1568 wrote to memory of 1936	1568	SimpleMindPro.exe	36
PID 1568 wrote to memory of 1548	1568	SimpleMindPro.exe	38
PID 1568 wrote to memory of 1548	1568	SimpleMindPro.exe	38
PID 1568 wrote to memory of 1548	1568	SimpleMindPro.exe	38
PID 1568 wrote to memory of 1548	1568	SimpleMindPro.exe	38
PID 1548 wrote to memory of 1804	1548	cmd.exe	40
PID 1548 wrote to memory of 1804	1548	cmd.exe	40
PID 1548 wrote to memory of 1804	1548	cmd.exe	40
PID 1548 wrote to memory of 1804	1548	cmd.exe	40
PID 1568 wrote to memory of 1092	1568	SimpleMindPro.exe	41
PID 1568 wrote to memory of 1092	1568	SimpleMindPro.exe	41
PID 1568 wrote to memory of 1092	1568	SimpleMindPro.exe	41
PID 1568 wrote to memory of 1092	1568	SimpleMindPro.exe	41
PID 1092 wrote to memory of 1352	1092	cmd.exe	43
PID 1092 wrote to memory of 1352	1092	cmd.exe	43
PID 1092 wrote to memory of 1352	1092	cmd.exe	43
PID 1092 wrote to memory of 1352	1092	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\Thunderbird Setup 102.7.1.exe
"C:\Users\Admin\AppData\Local\Temp\Thunderbird Setup 102.7.1.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\ImageComparerSetup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Thunderbird Setup 102.7.1.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1675454938 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63C049A11724121852C7894DF4BA7D29 C
  2⤵
  - Loads dropped DLL
  PID:580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4EDFDFF5A3A5A82742329CC30E22D0C0
  2⤵
  - Loads dropped DLL
  PID:1484
- C:\Users\Admin\AppData\Local\Image Comparer\cygwin-console-helper.exe
  "C:\Users\Admin\AppData\Local\Image Comparer\cygwin-console-helper.exe"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Image Comparer\SimpleMindPro.exe
  "C:\Users\Admin\AppData\Local\Image Comparer\SimpleMindPro.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic cpu get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1A74.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\IC4.exe

Filesize
4.6MB

MD5
d8d26e3ddbd5fce6baa86db95b3eb50e

SHA1
e031f6520763e93c0f87701c76fa5a7f762f1785

SHA256
b6dea190abf293caf049112dfdbd417d89b0b21a50649aee9523ba195c795f77

SHA512
80292189b70ce4d8886aa08284f744895a0a40b60f9f46e54516765c971234cc2f4084206158adbd715fdbd52f032e91c40275ba9233b715548c16f585d9b9c3

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\ImageComparer.url

Filesize
71B

MD5
5176b812f4a779c238cff0b71e1f5bcb

SHA1
2f02c247d4976512171c79a6ad226e09246fce8b

SHA256
af738b8de5576c75d475100e5edd289a0fa18dc1891afbcc31724ffa03b80e35

SHA512
4a7f25fdce7724631dabd1ea6b99869325274cdccdd5e4d396faf9f02d02abe7e0b234e8b8c056596b6c544ae8648a295690e4eef16bf0073d20f44b316bf8b0

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\ImageComparerSetup.msi

Filesize
1.7MB

MD5
54379ffab962eca142349be07af886eb

SHA1
0131c807e80ad87be66d87c481f701c544a31e3d

SHA256
fa270da8225c10c3aa7e6068bb08e1e8408f1c889adcf948192e910ebf567d65

SHA512
f44841915f28aab0e681da6aa79f729769194aed0bc4b267f9fbb61b867f073796b142ccc6a6bd5f2cfe5b1e4b9ed67f523815b5cfc657b97db29b6c938aeaba

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\MobaCompareFiles

Filesize
172B

MD5
77f75c76be8da61c4475116075d887ee

SHA1
24382c18a9f45f75808da21f33d8cc467197c0b5

SHA256
5cdf1c3a66bb32c88cb0441a3477e3d5bb798acdd184df128ef1c563bf13e2c5

SHA512
a971569e1892c992c1738d2846eb3ac39d46d5aabbaa7297ca2c9143a97b5d32882d82a9226f813c7401d5bf99cba41766ace615d6ead6daed3e097acbec6e87

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\MobaCompareFolders

Filesize
174B

MD5
19d720bae0451ee46d291bad9014f228

SHA1
deadfeac1145e71b69383a906df5df1a243bfdf2

SHA256
9c63292853dd0fd440b78ea6d09e5da28d10a30e049176485f5e7401f1274f6c

SHA512
1a59eaafd838c28142f089be0bba65299f3fc451a05dfd1fe19d84d60418ee308900f898b1850e0cac70f1f705612884d2d5d9316b0eed320c1f6d21b76bf3d0

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\MobaGitEditor

Filesize
170B

MD5
0abfcb480f550381151b4d1f0121d093

SHA1
ad8d1efc9f42a4673817777430e97c432ca719ee

SHA256
62440926ef3d659f51b6e5340cfca39a8e633ced17ac0e270403f719ce32755b

SHA512
f9d9e93d34cc3b4e36dcf54a4e8bd380275252a0071ae542dbb89ffc4e265f47f3f85cf45be079ada6102c49cb98d73d60a0aac6f63d12852782a6b3f69118ef

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\MobaListPorts

Filesize
172B

MD5
bc32355ecb78cac7589e9eb70632097c

SHA1
12736d5cc2a47325db4373c78c58bd735894c904

SHA256
52470da1497b8d81fac8ccfaa33fe2762f83020e4e125a1b8339eed63214a788

SHA512
13f3efb3a9e5fafe512131a6b61a2644ee3e5696e65a4865b194af64f159823407d46e86074639c91df28c1c8882724b3eb990133cd81d5c011936ad46a4a411

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\MobaPictureViewer

Filesize
170B

MD5
9c84887743f83c4c201d0598a10d105e

SHA1
f96cc6ef2d19d4871c81e8530d938e1ebec74fcd

SHA256
cead5b35bcbfae27c519d071437b65e04b131def99d8366b523017ec858f6b9f

SHA512
25f706d2f4b4f7dd9db95895cfc83fc07dfb6168f14183082f5569e27bae53982eb7798d803bcb2408ba132891d6ea305c17ee7f325ff1223398457eecdd7832

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\OpenX.exe

Filesize
17KB

MD5
0ccf0586ed2b214ad7f5fb049c7609b6

SHA1
c95b1eb247faf599c79c78fe9384775cf77f843f

SHA256
73859ca04ce7eabba812acabeed3fc9759b3733e09b9aeec1a64994f9d48f34f

SHA512
f7b5a8e1d624580e53c5c64b9da4e401e27c211d60f78638cb5fdfe3f646b461fec7d4805d87f3afc76550e23661a40e6ffebfef63d9b3839ff1bcfca869063a

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\cygiconv-2.dll

Filesize
1008KB

MD5
b4d2897144b10232c8c0b92c8e72fef7

SHA1
bc5b2b8bfe325ee013a919af1628ecb2134e8861

SHA256
55c4032330bd3bd6fff2979f70728696be1790e80602039d944d048f02d4965a

SHA512
8658f09d35a77d97b474394f610ecab7f22a02513d33d505c5cc6fd9a4587ea9dd619d4a93ae8777b5cc73604f81dd52eadb670e3a53dac2daaeff402b83e5bd

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\cygintl-8.dll

Filesize
43KB

MD5
5653b646c4e18627545123bf0a701a8a

SHA1
19e2b911168064fb72718f7f4008bb679dc0eed7

SHA256
f70b02e50b197b1bbafaa618cb5c30f27432c9ee88144b36be09fcd2dddbb4b1

SHA512
19828373b9a3561cf909fd51abf35afe7b1d7a253a3be25777ddbd5a369fa0201990d3e2899e3069afae88dfecde706feb8fc6f7e344c011dc7598c87e0c92d9

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\cygncursesw-10.dll

Filesize
329KB

MD5
c8015d8fc3f70a9b3e0e549fec941ae9

SHA1
f3eb021dd117d03b2f691e4ccc985d47f70fbcb2

SHA256
b18d773ace5bf39b49ebf98815492e73b47b62d517bd77d5d0da02b184bf7295

SHA512
e0c7a5af5b03d0b14dc2709fce60ade0b484c7653790069f21a83a1c478be72a65cbe4f3c56bb8c9c2b40485f477aa44d29d829122352421166595fde4d97488

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\default.xkm

Filesize
10KB

MD5
dc7c38faa9b2ffd642f451957a799997

SHA1
f1841b83b346a682b57a4b8ee066315e976134db

SHA256
5af454af48c65b49998a7d0ebdb051924f819f375b7952dec7e79872553cd033

SHA512
d908598b3744cbbcf184d2a715f5d52b0f2412e563ae7f9ab648953df2c425d72b74463a2c544bc06517d864bc4976bcfa856324ec51d0f26217a12757d51e47

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\dwm_w32.exe

Filesize
37KB

MD5
2c8f2412669cfac26b0981a1415283ff

SHA1
6d52b01efcc8488e00e2847f377523f09fd3324b

SHA256
b66f344a07a86154f9cee83369b566f88c1419b724e0ecb63e3cc0a43169dea3

SHA512
85b891becb9c0dfe616cceca2088a218cbbf3b56a8c10aa6f477e6d3c5d5b25653d79a9c5a70c6aa1d74ec6435310481eafceb65476ceaef7ffb3c3f947cd1da

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\grep.exe

Filesize
161KB

MD5
a81be6c22cf6150a8bdadc2d2168a733

SHA1
1dfc0f0b3c522a3ed4b20c68c162e886cfd05851

SHA256
7c2cc66c6c5d3c98c615a30d0ea9f5dda2119b8d32ecf04312bbd9c51c222b01

SHA512
11ab88d19fa0a2679ed37e23dbd5acdf57eff3ae136ce7bdc4923a961ac8baee6fda0cbf66f80e073307beac735b8356ed35557f22431ebe2017c84f48b0338b

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\jwm.exe

Filesize
215KB

MD5
9130f45bc81e56cf6b7bbd2a002832b1

SHA1
5c8bffa512f14c5fb6f87efdcb76beb3ddc521b6

SHA256
44b68652af00910ec4d4844ea42c1847e35bef66d99c655298c90d690c857071

SHA512
5174d09922a826ad68fbaea75ce14cc90f104d27bad69d847318d1ea63ae25af09b441bdf9174c8ad483891c1a5b40b46c73392aaac19e5d4942aaf92c92ee5b

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\klsbvss6.dll

Filesize
26KB

MD5
f85a5c0689db0eb6dc87164d85e8715c

SHA1
68d3e1856d9f4c15162ccbb344f2b8e8486aed1b

SHA256
2b45d9e7e9da3d024c9891c43dc06c155a8a71a4bdf9b6a0eb522eab2744275b

SHA512
5e3f2af284c06c4743b48075425f12f5e383dc95f8b6c92a57209ea96aac8f51853c0bbb3edf65641b1f1907233453d806b67ec9153aa6d7d30269c0da698917

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libGL-1.dll

Filesize
871KB

MD5
c91b4b54e4bb19530df6affdd0e42f9b

SHA1
181650510e1115f5339f95255f4f35aef42d3a3f

SHA256
933774ce5e2dccf7d42af6b3392857f5041efad3aab69650d4ad7e20175e5fb4

SHA512
b712afb2a53e8b48789fa12f94e43f17002f6347da2a75ef5bc585b1c7cb0218e808485ca5e7409d62ee28453464ac6e4da4180d68731733f60804afd6ee8eca

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libICE-6.dll

Filesize
82KB

MD5
26b0e06b44558d5b3349a45671d3862e

SHA1
ef569964ade5c7695fa57e8ed65220bf95adba5b

SHA256
87faa175e52ff55bc85a1e6b7739de6602ac2ab781e9916403bac6661c31bc8f

SHA512
4853a3e4ad68ad381390a0b14e061c57d44c7625fa4b6580c5b5f1258c4ff37705d1c3d9a2ec060af78e4574a15172012eae0fcfeb034acc9ba5172a5c793c2e

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libSM-6.dll

Filesize
36KB

MD5
cdbdd152bdd9950e3b5d67d279d1a277

SHA1
3ed5a24f96772c89a4b2283a8addb786f293fbfa

SHA256
75d36494f375e28ac07760ac82af48c1d6c1685626bd3cfca23fa6dca3c8bf53

SHA512
f0963e5eab3f2745b1903e653f02d707ed66345ea6b43b89400400b684198128ea5f14a6a22c56995b70d42d60f517855830893b2dedb3712b7f216c4d884d98

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libX11-6.dll

Filesize
1.2MB

MD5
3cd9af46753f2a618d15157372d0d2bc

SHA1
f2a1781b1a6d33338db4d9725b28f15d8a410903

SHA256
497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628

SHA512
925097106554f6eac698ba933e32fb82c1405c7ccfe284b27f1558e9ab46139506b1e981721aeafaf2e0d595dbdfce3587c4056c6920fdffb0b2f2bdbdcdb38d

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libX11-xcb-1.dll

Filesize
15KB

MD5
2b781f4138e302cde8e6e488c1899a86

SHA1
b85bc2641fae42a27a159d3bd74f44b3565eb434

SHA256
6a3ebeb389b54015a447b11bcf07348250b530a8ce142bf4e99fe8f1c030caa3

SHA512
00a7cdb52ff396552cdf9f14f30cd2e5c3a0713c69b18ecea9aeb96049cba1eaa47022c23157fb5b175c8b3968e1d85d89f72876ba5cfcd97e77492ce2eb03c1

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXau-6.dll

Filesize
20KB

MD5
b6f0655bed934503621fcf94ba449a19

SHA1
f0a5d9eefff5f3bcd2e23b9db748c50cffc1c6e8

SHA256
0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed

SHA512
77a10ae1748e5d76288c59933f3f41d4dc7a690b1f2bc9bff0b761f9f2c5331f868dc0259ffe4c4672e1806c33f3f9d0fe0a8b09b10e06333d2590f623c5b284

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXdmcp-6.dll

Filesize
28KB

MD5
7d4f4d3bc6ab6c3ea2097a7ecd018728

SHA1
2434fbad089ac85eda43c0b0e911ab437b4dfe63

SHA256
7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba

SHA512
f9b64cbcd7c7c7b4e942c3da74fb280762d038f974fc23d1e0431b15787aefc87464cda121aa8fccf499af46e345dd65aa5fb5cfee1cb45dba6e5dd79b01a1d8

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXext-6.dll

Filesize
70KB

MD5
4bf9885dff08be26c5a7aa73a005a26d

SHA1
02c61b20248892127a2d50a0d2cdfff4e7909e8b

SHA256
458f0825f25b10f4fefa6255ea473f3ca8416cc0a10da73326d84077f29293f8

SHA512
4bc488629070d3fe8a2882b1c4996b3741cb22de417c7e3b07724839d62793335d8d3e7c350b80944efcdee1dba1346dd970e9922e1a0620b6fd02a45173c180

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXfont-1.dll

Filesize
174KB

MD5
6a47427b646f556621917a93b9dbabb1

SHA1
47ebf94eb7b00e920c00d7b5034388f796237d2b

SHA256
b6553159c0c33efd882fc030add02b2622e9e49f8f0574a1f82d6bca4f60d99c

SHA512
9670a62af9c1c34fef1dc563d8f6a44fdaf276246d8154d626852be2b1b9f4119f0468b0acc7718c88feca48b9dfbd9e9f0d9372dad72c0c0eb63f5ce6119730

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXmu-6.dll

Filesize
99KB

MD5
50c2f9cf1077b59843e13e127964c943

SHA1
c0ed8b5baedb92d5c28716b0c85f09a19ce9e81a

SHA256
e1fac42e5ab62c3bca76aa3440394727e1d78367bfa7005722adadfd112855b6

SHA512
1425a1ee9d2bc428ec6668f57c3cb63ddf1df7a1917aceb7c893f875b3a979f63948b2f956a5f7615b3af15a8acf564ebe1fc9b530f0220d5f2233df0d33c0c8

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXmuu-1.dll

Filesize
21KB

MD5
fc8788c68b2153c89ec728a06dc8f568

SHA1
dc814169ebf1b22ecefe46854c080c78794fcd7d

SHA256
119b8d57f6aac50c6e2b088e8d732d59e9e3a3b2df609da74ffef7766041b745

SHA512
5bcdcecd23777bec6fc5e21e942a369eea23e67159a05ccf33ce99e98331c3ac676da5c6a8d90f476089ff0d9084f2de808e6ecc59f4ef2099a9712b76c0813c

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libXt-6.dll

Filesize
337KB

MD5
64f3a85585d05537efe179362fcc3714

SHA1
90e5447076999bb59ca18085e321d3c29a580ba8

SHA256
9e1d34395bd7802ec5b1eb213ea49a6c4da6cdd3f96dce91ea6340f87064746a

SHA512
a9cf5fe559719cc6a26cf4090df2a68129bef0e71f9a48a2755b6c0c082d6238988fba4eadb0711814c9e1cf903a42bd4288badffa4acf8ccdc49eaf8b94c749

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libdl.dll

Filesize
17KB

MD5
ed925bdab51f49813686b62eb82fb4a4

SHA1
bc7c742b92a5b47089e0b400a8a80bb217e775fe

SHA256
e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62

SHA512
5be99a6b0e2091fe37ff50d5a9c4fa789db27b5ba108801e4d18e99ae584ae1bc91ba3339916dff8a323155815e660f43ca54ffcc7c14c1e3f90600aedb54bd8

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libfontenc-1.dll

Filesize
31KB

MD5
0886859eb6bc88c13797ae668fa74998

SHA1
d00c0f848174895000d5d1fc40e35cf6f9c56e18

SHA256
cacc9c998d90264e088844ffd7a8a9439de706cdf17d6bbfde14c0609ef96aa7

SHA512
7cfff08756c6fb294d6225e28944590638b43a7131667b1de13a150ad18cf1db155a93e80053d234824dd452b00aa98576be58fd870e04451c2259736680c30c

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libgcc_s_dw2-1.dll

Filesize
114KB

MD5
d35376c0d447108b2f9d64d4c40014f8

SHA1
c68129e8bf6cdaaa318c5aad8974efbc2b7ce39a

SHA256
c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225

SHA512
c46af0bbd3bca6e12125750a5b1ca4f17f85f84729b1c1c01ee76de3704bcdb090212202cf449458833f8ee92e9a46c8758cbd069747de534e2984dccbe9f24d

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libglapi-0.dll

Filesize
201KB

MD5
04e73806d86a77ca6bbfe41be8db5494

SHA1
c31346161ee9a9b40e7e2fc826e6c374778af7a7

SHA256
284701380f33a30b25e8eb9822e7f47179238e91d08bd3fb5a117145de7e0d8d

SHA512
452b95557bfcb638daa07ea427cd140830839b6ad950d8e282fabec78ceb7476558ab7996fcb526371c6b143028ebf288c0579f37011b3be5fbb92d68d452042

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libnativeGLthunk.dll

Filesize
444KB

MD5
0b14d0f9d8e917395ee43ca0a48dad76

SHA1
b719c3e3d327467899f87f14000d0731632d65c2

SHA256
bc8cb90c6d60de04431cf2ba2de1295b66f706ee1ffb915df72e1c2d0a69cc22

SHA512
e15f84138adc5684a79bcfba8d68a96f87a09807dfa60190a0d3bfeb02492f7cbf4ac5ebf78fb7b55fd4e54b28711c7e6347ae2cadb8c185fce50d02bfbc2dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libwinpthread-1.dll

Filesize
96KB

MD5
c6e473bbed2fa26953bebfdd0b66419f

SHA1
226e16684e02c6331f7ee82d02d058e2c55f8ba5

SHA256
620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af

SHA512
277419eafcec04618304f19b8b5b4aa55e0233fd6118d92a41d51447f210be382aac9098f3476b9d5891ec180c4d3450fa556705e6cd0e6e2b414097860f0e9b

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libxcb-1.dll

Filesize
134KB

MD5
b36bc72ad8f8856c57e15ab59c8ca8fb

SHA1
f228d1e9136a43aef35f07a7b9b8e48c2375fafa

SHA256
1d3581daa5e60802b7a3382a03b1447a3f69593c6cd09c1fd4f3feda862042d4

SHA512
bfc77f9b6194b57bbd126fd31165fa6f25fc3ab7a7dc1cff17d0638211ec93b30d0383d460ce7669dd7ecbe662255571695b9b69f8f54ce4e66a353a295fb317

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libxcb-glx-0.dll

Filesize
95KB

MD5
c34c77bf9f0407826f8c143b2ed0091a

SHA1
6763ec1e15b129e0f4cb9ea923716be4dea6084a

SHA256
af28820ebeff29375a3d66dc4044a6c98984a49f9eb0c0f01827c7ba5250e3d1

SHA512
c9082ede99c978a4fc62898ca44dcc4096577b971a4debb319d1ba1c3e739ca41b11669d4a56404e7177a9737467c0d10c3efd09d622190515043c5ca1e8512b

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libxcb-image-0.dll

Filesize
25KB

MD5
a3718d24f0e6eae9d6121a1219381ae9

SHA1
a3377f64d8fb6162f6280d3d924626c1fc6a2fe7

SHA256
cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327

SHA512
43f9c760be222490d43cbd9589b4afbc64759919993a1957a13a753cfcc9d94059dba0b5400a745c377c7bea1f02f4f8f6f952bee5b7ed33f6a49efaec62e9f6

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libxcb-shm-0.dll

Filesize
19KB

MD5
557ed85a1d8a3308e552a77a9902e8cf

SHA1
a9acf7a1db500a734e95038b29c0bd90f7af59e7

SHA256
e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef

SHA512
110acfc0b886a1ff77b5452e2f813213630ba2eb4610e06942a59da78e516e05893b049c0d1ddcc077ebabb3a9490cf84fb41f31b62822c9365b60a1b38fd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\libxcb-util-1.dll

Filesize
23KB

MD5
ee6788d3d3750421e01519a27f86634e

SHA1
48f4c7dc7bd1208f07e4176e78f035d36682d687

SHA256
b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60

SHA512
12ef0ac4cf9c8461044317e693bcfabdb4beb34a222b635ba50f6652b5a91b92ff20cb19e916ac60dca3e8314b7d8cec710a1c730374bb8f260b8d94f57c9775

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\mb

Filesize
1.5MB

MD5
fa5b82682c2e99dfb9890b7f995a4537

SHA1
0bfa588ac7dca290d4db3398c4a293a3c1a75469

SHA256
8dcd7c2066a97e29c5c324c7df43be36df255230c3db18c1e46359d1b5db78fa

SHA512
c3416399722b61d0e2b9554f40aa4de29a15efaf131101041bec5c0971c7b512693176c5a8c34dbf58362da239adf66863b7886cee91106f55d83099c997cb9d

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\protocol.txt

Filesize
30KB

MD5
3f8ea5489353f655ca9a948574f02e20

SHA1
60c509bf7a25c82d432a8e83cec2b9e6fc917793

SHA256
9dbb763f6422ca6a8babb4a9e3dc2dcd9a8c65c78a230b7066402d5e8175220f

SHA512
9a8b31fbcffbd0239476e1b157fd8eab8a633b9151e36602476d579b426228fb1a45225595e9f5d35dcb7129dde996db1fffbe156d5d614ab199467f008d1d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\settings.dat

Filesize
4.3MB

MD5
7fc17f5728d62dca41680a16183dc0b1

SHA1
8e3557bec0dedfcf17462bd7dcf2a6010a8e7cc6

SHA256
fb782e317632c62fae4d11f5d02834fe254f2271413f3a99762c24bce282f74c

SHA512
7b068bd5a833b90b4e624d096bf8c22df52fa5c7c336badd3a6c87d3740b641798f9a4f978a1269283a25b021c2ac4946d7465d8276a413411330b1f37c6200f

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\setxkbmap.exe

Filesize
56KB

MD5
7868eda4cb74545d0051ac5a029d9292

SHA1
8a9d9a07323f1e0bab5f63cfb947c0c31e09578e

SHA256
e2c3114c6c4f85bcd59236936e889fb8c937d48ae55971089899d98978f5837f

SHA512
ca3fa71a621e0ec6c13aebbef3153d22b7206d79a19ad078db63649557609ad0f5fd0144e721af689c24ad1d5d771b37e3d4b831707f531e77d8184bfed640e9

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\twm_w32.exe

Filesize
164KB

MD5
2aa156e64daaded05730cc6b1b228f8e

SHA1
0e1eb3fc195c95e8c4eb4447f8126b316aeb8a38

SHA256
7f6195073ae55edeebc13bfc69495c75006fb101ee6b1c53262c89b4fc448c16

SHA512
9cd2c904de7e9b620c6a83b4c4a1aa9ea7d5146bfecc7ebf4158733998daa6bfd56e07b31cbce887b9798e589269cb99adb73de952632e861ecc9cd3911ea569

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xhost.exe

Filesize
21KB

MD5
6b9b189ccc477a4e3bbd7da3bdb26e00

SHA1
c0ab24eadde8be5dd3afa6a2c6aa8ef9af271aab

SHA256
a434d78d4559da2f198f9a7f19c3cd58619b8e34ed7f615eea757582b436d84f

SHA512
6c8b8f38b8ad050322555e7864946fbd4b7da9ee0406e0e9b9c9c790d0e9a0f4142c26d1bf660d607be166d472acb578ed7f0c5f1ddae810d413b82d8c13854f

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xkbcomp_w32.exe

Filesize
291KB

MD5
b2b22157777ed19c9f1369e2d45c1510

SHA1
e516b6baa035f3b852799a88ebbfba3848b12e60

SHA256
0693cfa59aa1f79b1d401af22d6dd33c1ad64297165345fef6fea663b94e91f5

SHA512
2b8d558808ad839deab960d435d13f240182e16fc8d79292e10e81d5733ee1a5cb7ac7952d43a42ca85ba412ec0eea0c8b8a576726208b6b836bc00964327f75

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xlsatoms.exe

Filesize
19KB

MD5
c653d84722a3fb5174e0022f2e604aa3

SHA1
61364e691811fd65ae072d263e4af1f287df429e

SHA256
5f85bf253584876c20f6f062e20e56d2707fad41ecb91218779fd0ad4e65fdee

SHA512
deadfe9a012250888c23113f79e10b4d97bddbfa1ca74dd7eb29aa79d634f686f7399b2cd3036707ecd947c73c6d96ca29273f1e19a0878e2644cc18bac564af

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xlsclients.exe

Filesize
22KB

MD5
df978c7b239a219e157133885a3a308d

SHA1
f4ff6380fcfc4aac6d1ab478ce74bd2f816c850d

SHA256
cb7373abf3469e8ca6bd0ba21c5e01fb6a4bc6d71547d26ee264d98f0177d9d4

SHA512
6d1a9c1606ae59645582c9bb9862e71296823a3374b86640a1e9a1cc94d369391aa3452bbdaedbb24bf8770e969224946156d46ab88800aa0a8a2b5b3cd70590

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xlsfonts.exe

Filesize
26KB

MD5
18b1ca55ff3515ef28c7faa1c0b528d9

SHA1
8cec74f9b405c51b5eb9ba073369a6b513840f24

SHA256
a7469445b67e94cb3e9a4b95daa169056b5f8165b9fc93430b2759063c2c41a8

SHA512
2ed5a973069f14c764e8bb7772f853163b86967aaa4bf23a967fb388f8a657a833e06f1c854ea5d920bfa4175f5a2021e18ee2c9f237cacf07f5d6b6c21d931a

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xmodmap.exe

Filesize
38KB

MD5
d624505e5c14e463aa13dec7c72fa6df

SHA1
59100a98247566d73706cc82bd61eea875639467

SHA256
d82d728366df0109846395d8f95ea0a88133aea0e69590980beaca443baa6819

SHA512
75d2292f76b679106a18253f916a9395c35a555565cc553cb71c057e7e30493c2224e5d8622cd68c4389d6a093bf65469b9f16a47da9f5c12118648eeea9603e

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xprop.exe

Filesize
40KB

MD5
2369d500678f5db204c11f067f25d14f

SHA1
c326c0b9fc6cc5779aea6fd3b30274e4ef67eb9d

SHA256
c81169dbd40d3ff3886aacd9a28834b629cf31d5e6ea72aea5c566dabba4a34d

SHA512
1bcad73a493ccef45024079521bfc0630feba8a83d964deb3168280cce57e733c39933f14c25488e7ead439c192e53ee0abc89fb54ceefdc99e26a2a659d82a7

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\xrdb.exe

Filesize
32KB

MD5
681650d2d6b54441df9b8618348c0696

SHA1
7bf695541f47c808827d92dc562826a748972035

SHA256
977d1bf4ef969b98ff0a5ce7e18cc9007238056c24ca7a58d17acce75211d5c1

SHA512
e1f4207bc937aee546f86318eb5c558f642e4a3e4729b3664e0b45c5d0cddd8e79402a598efe62191b0d2e0a3ec1a52f94539e0bc28375fc3575308d618e0945

Download Submit
C:\Users\Admin\AppData\Roaming\Bolide Software\Image Comparer 4.1.0.0\install\852DE46\zlib1.dll

Filesize
90KB

MD5
7e507af32ca219d2f832cf8d90ca805b

SHA1
4eb56c6f4184efc5a6bb5c7cab46547cfa769744

SHA256
3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57

SHA512
d19c6a0a0798db42490631aa9e30da4200e0b687250daa5ec8bcfe68ae2589a523adeacb6c77544488ddc7610fa84be7477a92c2a27605537a0caec2449c87f1

Download Submit
C:\Windows\Installer\MSI1E6A.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI1FE2.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI206F.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI236C.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1A74.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Windows\Installer\MSI1E6A.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Windows\Installer\MSI1FE2.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Windows\Installer\MSI206F.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Windows\Installer\MSI236C.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
memory/364-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/364-55-0x0000000073CB1000-0x0000000073CB3000-memory.dmp

Filesize
8KB

Download
memory/684-56-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/1568-131-0x0000000000230000-0x0000000000268000-memory.dmp

Filesize
224KB

Download
memory/1568-144-0x0000000000400000-0x00000000011FB000-memory.dmp

Filesize
14.0MB

Download
memory/1568-133-0x0000000002F20000-0x0000000002F80000-memory.dmp

Filesize
384KB

Download
memory/1568-134-0x00000000043D0000-0x00000000043D7000-memory.dmp

Filesize
28KB

Download
memory/1568-135-0x0000000006D20000-0x0000000006DDC000-memory.dmp

Filesize
752KB

Download
memory/1568-139-0x0000000007930000-0x0000000008220000-memory.dmp

Filesize
8.9MB

Download
memory/1568-140-0x0000000009760000-0x0000000009BD6000-memory.dmp

Filesize
4.5MB

Download
memory/1568-147-0x0000000009760000-0x0000000009BD6000-memory.dmp

Filesize
4.5MB

Download
memory/1568-129-0x0000000000400000-0x00000000011FB000-memory.dmp

Filesize
14.0MB

Download
memory/1568-132-0x0000000000270000-0x0000000000365000-memory.dmp

Filesize
980KB

Download