Analysis

  • max time kernel
    74s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 14:19

General

  • Target

    file.exe

  • Size

    4.1MB

  • MD5

    723ae6ee64497f45e3eb194dc928489c

  • SHA1

    9e6e4e5816ee069e0d18bcb132d176df9949d165

  • SHA256

    c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067

  • SHA512

    488accf660b9541f37bf6fc38ad479347a985be42bb765ea3fce0005f28f5ee42b3fa356a077df2836b07a2344d567a9f3b79289129b3a2ba80cc1241ebb180c

  • SSDEEP

    49152:36glmRKCncrCQV+8bjrajELExlb0zuFHQLNJYZI06m94H:nOOLSx9+UY

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .wisz

  • offline_id

    4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Signatures

  • DcRat 9 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect ZGRat V1 2 IoCs
  • Detected Djvu ransomware 3 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 10 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Stealc

    Stealc is an infostealer written in C++.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 5 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • NSIS installer 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
      2⤵
      • DcRat
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1428
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
      • DcRat
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe
        "C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp" /SL5="$80090,1518993,56832,C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
            "C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i
            5⤵
            • Executes dropped EXE
            PID:736
          • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
            "C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s
            5⤵
            • Executes dropped EXE
            PID:5016
      • C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
        "C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4732
        • C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
          "C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"
          4⤵
          • Executes dropped EXE
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:5324
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:5584
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5812
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              6⤵
              • Modifies Windows Firewall
              PID:3960
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:1300
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:5328
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            5⤵
              PID:1692
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                  PID:5672
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:5696
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  6⤵
                    PID:5668
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                      PID:5376
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      6⤵
                        PID:1192
                      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                        6⤵
                          PID:6116
                        • C:\Windows\SYSTEM32\schtasks.exe
                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                          6⤵
                          • DcRat
                          • Creates scheduled task(s)
                          PID:5576
                        • C:\Windows\windefender.exe
                          "C:\Windows\windefender.exe"
                          6⤵
                            PID:968
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              7⤵
                                PID:5884
                                • C:\Windows\SysWOW64\sc.exe
                                  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                  8⤵
                                  • Launches sc.exe
                                  PID:5672
                      • C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe
                        "C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe"
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:4088
                        • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                          C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4468
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2372
                            5⤵
                            • Program crash
                            PID:5972
                        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                          C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:692
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5592
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 1251
                              6⤵
                                PID:5684
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                6⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:5708
                        • C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe
                          "C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe"
                          3⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:3148
                        • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
                          "C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --silent --allusers=0
                          3⤵
                            PID:5888
                            • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
                              C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x6e4121c8,0x6e4121d4,0x6e4121e0
                              4⤵
                                PID:5268
                              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe
                                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe" --version
                                4⤵
                                  PID:1476
                                • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
                                  "C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5888 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311142110" --session-guid=e13e9559-45cb-4e14-84b3-b5fd697c8c06 --server-tracking-blob=YTk3NWNjZDc5YjQ4Yzk1OWRmNGVlNzQ1OWUwZmU0OTc0MmVmMTRiMTU0MDIyNDY3YWFkOThlMDcxNGEzMzU3MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE2Njc3Ny43MjIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3NzE2MWZjOS0wMDI5LTQ0NzAtYWE1MC1hNzJiNmQ1MGNkY2MifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
                                  4⤵
                                    PID:1672
                                    • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
                                      C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6d9021c8,0x6d9021d4,0x6d9021e0
                                      5⤵
                                        PID:5376
                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                                      4⤵
                                        PID:6132
                                      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe
                                        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --version
                                        4⤵
                                          PID:4544
                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe
                                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xc50040,0xc5004c,0xc50058
                                            5⤵
                                              PID:6120
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3
                                      1⤵
                                        PID:5416
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
                                        1⤵
                                          PID:5892
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA7F.bat" "
                                          1⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:968
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
                                            2⤵
                                              PID:5448
                                          • C:\Users\Admin\AppData\Local\Temp\1593.exe
                                            C:\Users\Admin\AppData\Local\Temp\1593.exe
                                            1⤵
                                              PID:5008
                                              • C:\Users\Admin\AppData\Local\Temp\1593.exe
                                                C:\Users\Admin\AppData\Local\Temp\1593.exe
                                                2⤵
                                                  PID:552
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    icacls "C:\Users\Admin\AppData\Local\b252c0fd-10e5-4d1b-8086-868448a9ca5f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                    3⤵
                                                    • Modifies file permissions
                                                    PID:1716
                                                  • C:\Users\Admin\AppData\Local\Temp\1593.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask
                                                    3⤵
                                                      PID:1884
                                                      • C:\Users\Admin\AppData\Local\Temp\1593.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask
                                                        4⤵
                                                          PID:776
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 568
                                                            5⤵
                                                            • Program crash
                                                            PID:5248
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4468 -ip 4468
                                                    1⤵
                                                      PID:1044
                                                    • C:\Users\Admin\AppData\Local\Temp\38AC.exe
                                                      C:\Users\Admin\AppData\Local\Temp\38AC.exe
                                                      1⤵
                                                        PID:5256
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                          2⤵
                                                            PID:5300
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 776 -ip 776
                                                          1⤵
                                                            PID:4080
                                                          • C:\Windows\windefender.exe
                                                            C:\Windows\windefender.exe
                                                            1⤵
                                                              PID:4156

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\ProgramData\Are.docx

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              a33e5b189842c5867f46566bdbf7a095

                                                              SHA1

                                                              e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                              SHA256

                                                              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                              SHA512

                                                              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                            • C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe

                                                              Filesize

                                                              960KB

                                                              MD5

                                                              c50f8ffa8a216c19442b1e68daf3713a

                                                              SHA1

                                                              7d249939b1c04db72e57091499b52fb3dfbd6586

                                                              SHA256

                                                              031c6e90cf7280afa0819560e1e882aa62d53ef3930b67fd36951bcd484a3016

                                                              SHA512

                                                              478a68fd49676130ce9ecf511354a0223b8e2fd84e181c00f4ed48bf240e2e9b504de13232a0376d086f5b1f09db25c00255185c9c86e87e1e52be6aed62d0de

                                                            • C:\ProgramData\mozglue.dll

                                                              Filesize

                                                              593KB

                                                              MD5

                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                              SHA1

                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                              SHA256

                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                              SHA512

                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                            • C:\ProgramData\nss3.dll

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              1cc453cdf74f31e4d913ff9c10acdde2

                                                              SHA1

                                                              6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                              SHA256

                                                              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                              SHA512

                                                              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                            • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              49fc5d878e59f728efd5427c905efbba

                                                              SHA1

                                                              35db9693fdd780fe3b4869dde52080dcd856d724

                                                              SHA256

                                                              fb04dbdeb681ff10f950aa2e225ae0168f165f9611e409f8b1eef1d45e13c2a8

                                                              SHA512

                                                              1dece436bb60fca62f0bd07f78c6069e933cea87ff464c0444f57b2bae64f75bd5e0113a1465b32f933563cc13b5e20dbc47062c2db8add39314070afa2b4cca

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\9b7eef56-73eb-4b37-8132-86faba443da9.tmp

                                                              Filesize

                                                              2B

                                                              MD5

                                                              d751713988987e9331980363e24189ce

                                                              SHA1

                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                              SHA256

                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                              SHA512

                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

                                                              Filesize

                                                              40B

                                                              MD5

                                                              20d4b8fa017a12a108c87f540836e250

                                                              SHA1

                                                              1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                              SHA256

                                                              6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                              SHA512

                                                              507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe

                                                              Filesize

                                                              895KB

                                                              MD5

                                                              3a3b67404eb1d1300060b7e5884e2325

                                                              SHA1

                                                              eb8b2abfdfaaf80230c9d2db6297a428c1b11e73

                                                              SHA256

                                                              67c5b5e5e679c027dc4bd7f6796f5167fefd1303b78b12b8fcf85bf7b2309d3c

                                                              SHA512

                                                              793e4ca10f305f8719069414b6a9d5211da300ef11f80ddf98bc6876ff1e25fa8edfb311fad059ddc234ccc6c560dd3ebc9390628f13dba5f10e8088c9bc9dc3

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

                                                              Filesize

                                                              2.5MB

                                                              MD5

                                                              20d293b9bf23403179ca48086ba88867

                                                              SHA1

                                                              dedf311108f607a387d486d812514a2defbd1b9e

                                                              SHA256

                                                              fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                                                              SHA512

                                                              5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

                                                              Filesize

                                                              2.1MB

                                                              MD5

                                                              954d8eaf098bfb9609509bf09c201374

                                                              SHA1

                                                              02cb116621285a4640048822da6f01d6b16e6d4d

                                                              SHA256

                                                              4f49c4b52ec28b4a6b3e5435a906be8652a4d16c04345050d60f942849612b0c

                                                              SHA512

                                                              167e8465dd9fc345d53ee93afb08c8be74ab4b3a29c178490502eee6dc3f9413a3a68e873de63728bbd768bd5a3710d3a8c0d0a9fbc266006fd5dcef610825bd

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe

                                                              Filesize

                                                              1.1MB

                                                              MD5

                                                              720b7591615ada96ef3f92dbd6bb7315

                                                              SHA1

                                                              5dc09adfd221f65143404c84357efb6f05b1991f

                                                              SHA256

                                                              4ebd8dca718391f84771350af13f6b4db22f8d533ae6deb9a4f2edfe778d60b7

                                                              SHA512

                                                              81cf27d5c969001f43571ed9398a6e001c13e98065ba6bf4588a71ad9bf00f6605af60801b6ef0439104bd87fc294b65d82f5cee119aab754f1ce78defa6f8c7

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.DLL

                                                              Filesize

                                                              82KB

                                                              MD5

                                                              fa8d56546648d8c0acf1c17c540fd543

                                                              SHA1

                                                              7c58b6b7388ab12ef3035d63a5e3830f763e5a6a

                                                              SHA256

                                                              a82101ba4ec593aaf627af7db83ab6aa88e99f170b6a1163677ef3e0a57c158a

                                                              SHA512

                                                              e278a2a1d12b49b98ab5334d46018a434c28ace3da27af50dd5092bd68a8cc6b559f0be0fbe277df7d5b51ccc702d03071620735d66828b2b700c40ded687ff7

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.dll

                                                              Filesize

                                                              64KB

                                                              MD5

                                                              202e9e27500f1419bb023c5ac54618a8

                                                              SHA1

                                                              836082a6139de74a623730bd98797c78da7234dd

                                                              SHA256

                                                              3f775c5caf649aaf03825cdf6cf29eddaf881c6a0552d0da12ff4ba875aef4f2

                                                              SHA512

                                                              5fbd6b74b42e090cb6089a94293a4a80390a64a18fd58affabd31a0c18d30bbc5f5bcba7d932c6f8394c17a37319ad8386d26ff1f7f93ffdd93fe918904852b0

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll

                                                              Filesize

                                                              768KB

                                                              MD5

                                                              a2e2c6d725dea1c49eb40b0e7b134e1b

                                                              SHA1

                                                              c425999011065bc87c40806e4adf39c006350fe1

                                                              SHA256

                                                              b345407859596eec3f014f1f3e47aaba9bd63fe20be26e3125e2762bb207778d

                                                              SHA512

                                                              10ce4fcde83f478579e99156842d46109a96e5d1c93ec9cb066df5606545f8b5c1b5013cec472691daba97a97842c05fb25f1582df8fbb03317c4f4079580042

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll

                                                              Filesize

                                                              832KB

                                                              MD5

                                                              f4bf4aabbf848470e96c109867fc0b66

                                                              SHA1

                                                              1cc1e36db5fd9730984d7bb33f5ef177400185b5

                                                              SHA256

                                                              a80804664d4389c02754d4f8c8ce8fa506f386c45a9597b5298cc5c636c91359

                                                              SHA512

                                                              73882ae42faed532fa550e4aa1a426a6b87e0716d71482cac53fa957ee3a595a7c88430cf3c8e8950cc455119f42cfdf0c206c6f4f66a01e792215762c1edb47

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\opera_package

                                                              Filesize

                                                              2.4MB

                                                              MD5

                                                              b11a82be27ba5ec5a6d6fd7ff20e8ab0

                                                              SHA1

                                                              9f074f5a86c0aae449f2bc445748ae870a996010

                                                              SHA256

                                                              27fadf5046749f37dce63d901f7085a63ce637c06430bd62af6bf3ab3fa2082e

                                                              SHA512

                                                              f58e217e234915aee0e80e364a84f086f1744d0b795318aff66b3e165dba5736f371a3bd798a53b0bf57006ce8356f5500769340a84a58dc09d18ffdf139a891

                                                            • C:\Users\Admin\AppData\Local\Temp\1593.exe

                                                              Filesize

                                                              627KB

                                                              MD5

                                                              2f89637e05e9e78d7e98c8ee34da535e

                                                              SHA1

                                                              31f005ef288cfef2b5ac9e4f246bc9d22098c479

                                                              SHA256

                                                              3f44b8b747480bc28c43bff52e49ae9a38e635a014ce6de51cef9810ce46c2da

                                                              SHA512

                                                              87a15db9dd58f168495e21b02f068c39e6be69b5b033dbb909ca3f067ab7f7241368a24e931c0f1a317bf8a927bcd1162c4f6666ab6633bdbfe45d9aaaee435b

                                                            • C:\Users\Admin\AppData\Local\Temp\1593.exe

                                                              Filesize

                                                              782KB

                                                              MD5

                                                              51597fedbf769613eac193b679de833d

                                                              SHA1

                                                              77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945

                                                              SHA256

                                                              b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c

                                                              SHA512

                                                              7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23

                                                            • C:\Users\Admin\AppData\Local\Temp\38AC.exe

                                                              Filesize

                                                              530KB

                                                              MD5

                                                              756931963ef47d8261e3090770710355

                                                              SHA1

                                                              074e49a53dc0dea819a2ce9b487982f0ac114d86

                                                              SHA256

                                                              6a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf

                                                              SHA512

                                                              231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce

                                                            • C:\Users\Admin\AppData\Local\Temp\38AC.exe

                                                              Filesize

                                                              512KB

                                                              MD5

                                                              aeb2c8333650e3e57fe5109330c1435a

                                                              SHA1

                                                              e529dcf82531151201d08e9eea8cb54ada7cce9c

                                                              SHA256

                                                              eb7e8e099214c01040756833d3ec9c724d7e0242a79b67c92471836e7eab1245

                                                              SHA512

                                                              3a66f34e6de7a24c3f45cdf9e422feca8d06686c8e8588f5220aabdfe66d41868f1db415afd10288e953590b21d01752b65567ea2e4838d424962a1a23725614

                                                            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              eee5ddcffbed16222cac0a1b4e2e466e

                                                              SHA1

                                                              28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

                                                              SHA256

                                                              2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

                                                              SHA512

                                                              8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

                                                            • C:\Users\Admin\AppData\Local\Temp\CA7F.bat

                                                              Filesize

                                                              77B

                                                              MD5

                                                              55cc761bf3429324e5a0095cab002113

                                                              SHA1

                                                              2cc1ef4542a4e92d4158ab3978425d517fafd16d

                                                              SHA256

                                                              d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                                                              SHA512

                                                              33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421098545888.dll

                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              99f28be37c48d4c06ff5baf21caf0747

                                                              SHA1

                                                              031ab5b90017e6ffab5d005e566813717592ef4f

                                                              SHA256

                                                              5a6f8fc1ba4dda4a971ed228b929e00338700bf02976150d8dd1bfc4f6c84f5d

                                                              SHA512

                                                              b68e65b9aebc4c872f874af6218523d9b4cdcb4b104678e75abc3f3e6262187674cb65ceb760ef981f61ad58e9e007f2a4711158ca9082eaff49a21bae97711d

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421100265268.dll

                                                              Filesize

                                                              1.3MB

                                                              MD5

                                                              db74d30f6dc1e54664f7619e5bced29e

                                                              SHA1

                                                              b859c93690f3d6d963ce0283d15dd35c040432e1

                                                              SHA256

                                                              524e706265138addf45dee4dbe6298373f510d58ebd2de0ffa3d256f1fae86f5

                                                              SHA512

                                                              62919b6bd7313de293e4e5c0a0f3caef1b49087c81e0e45bfab56a486fa9fdfe0f2f5381c1f58715460e1758ab14275ad404835246c7815de62d72348a76bcb3

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421103541476.dll

                                                              Filesize

                                                              826KB

                                                              MD5

                                                              fe30c4340b7c7c05c5d81249881e3b7d

                                                              SHA1

                                                              24c7bb0ea94312d16194bc5757cbe22c96055b87

                                                              SHA256

                                                              129957b71bf2730ad183b33613bd1045d33937706b86c5e30052c2f1ef91277e

                                                              SHA512

                                                              16fa420979b1f1d15e77ea9b51aa47752bb8995c90438e232cb38d9730f5be8b63360507f9ce256612a2e5229e3c57ac7715d217af2a25544ca211115e672651

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421103541476.dll

                                                              Filesize

                                                              635KB

                                                              MD5

                                                              b4039abd92499f0d7522c23a91990f59

                                                              SHA1

                                                              b03558ded00b283d3b614e21114c1191269fa1fe

                                                              SHA256

                                                              c6372da1a7e790561058fb4abfd8755c62662b894b08f55dcebd5ebe9288be71

                                                              SHA512

                                                              69db107c95d758203e02f6790281c079ba877811fc31bc2cebb586b1a434b8d2a7433d420edaa32c647241930f51c496cff8bffe14c721dfb7ca538e857662e9

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421108001672.dll

                                                              Filesize

                                                              694KB

                                                              MD5

                                                              b2934e8fe78e03093eeb61ba28fa872c

                                                              SHA1

                                                              6f59af6a62931a237dd6f1aa01d580458fa335aa

                                                              SHA256

                                                              0623a94a65aad33351ecea5671827b340e6de19ee615cb38c380a39a670b1bb3

                                                              SHA512

                                                              c23713f9ae5ee5e50cf86441f07608ad888a46df82e015420325130c1a44238300f25501ea83c11647206493404c3707a4b0259086cce05ec32e4a1621992604

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421113465376.dll

                                                              Filesize

                                                              149KB

                                                              MD5

                                                              4e09e841c58ecf306e78feea83cea8e1

                                                              SHA1

                                                              2b419d945d46a6b255328080135bdd3058c8dc03

                                                              SHA256

                                                              b632441531b193e315ff276c17af62f8e61bd93e880b108ee9b8d917870455d6

                                                              SHA512

                                                              61a946287dedb5ccedb47cf808ff4cf1d7b371ca8041062ca812977ce9f29d7188cedadbb57d140270e16f57c6bc3c87d270a99d707b9608b0ac4a52ed8b4706

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ns1ilfts.tob.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                              Filesize

                                                              281KB

                                                              MD5

                                                              d98e33b66343e7c96158444127a117f6

                                                              SHA1

                                                              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                              SHA256

                                                              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                              SHA512

                                                              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                            • C:\Users\Admin\AppData\Local\Temp\is-09FPA.tmp\_isetup\_iscrypt.dll

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              a69559718ab506675e907fe49deb71e9

                                                              SHA1

                                                              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                              SHA256

                                                              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                              SHA512

                                                              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                            • C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp

                                                              Filesize

                                                              690KB

                                                              MD5

                                                              150a46b9c3e09bc0ed8d581669fe605b

                                                              SHA1

                                                              760baa334e4e024e80f27f8e23b900600281a853

                                                              SHA256

                                                              2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f

                                                              SHA512

                                                              d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805

                                                            • C:\Users\Admin\AppData\Local\Temp\nsl53F9.tmp\INetC.dll

                                                              Filesize

                                                              21KB

                                                              MD5

                                                              2b342079303895c50af8040a91f30f71

                                                              SHA1

                                                              b11335e1cb8356d9c337cb89fe81d669a69de17e

                                                              SHA256

                                                              2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                                                              SHA512

                                                              550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                                                            • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

                                                              Filesize

                                                              283KB

                                                              MD5

                                                              099d81985b4d1951c9a0448bdead2e31

                                                              SHA1

                                                              3707f6971ecdd856999ca980a1b99b551bea5ff9

                                                              SHA256

                                                              291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095

                                                              SHA512

                                                              f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2

                                                            • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                              Filesize

                                                              40B

                                                              MD5

                                                              92a4a8eff29af16c824751c951006034

                                                              SHA1

                                                              7ab76569685eb09444039794d66ba02a5eee0781

                                                              SHA256

                                                              fea1afd3a05138180be400ad188944037fe5a351de8eb7d54c9c69323f35c839

                                                              SHA512

                                                              126146f1bb0fa8e0c6429681d62ceb96e16a33c994bdf502a34af5a66160904f5af907b819458e4005ca550d05ed1f34eacc10a73caa801897669f326865d09e

                                                            • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                                                              Filesize

                                                              128B

                                                              MD5

                                                              11bb3db51f701d4e42d3287f71a6a43e

                                                              SHA1

                                                              63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                              SHA256

                                                              6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                              SHA512

                                                              907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                            • C:\Users\Admin\Pictures\BOc48RVTxeqcTLguN4DB85xV.exe

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              5b423612b36cde7f2745455c5dd82577

                                                              SHA1

                                                              0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                              SHA256

                                                              e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                              SHA512

                                                              c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                            • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

                                                              Filesize

                                                              1.4MB

                                                              MD5

                                                              41150f0446da63df089d815ecaf253c4

                                                              SHA1

                                                              afc1d9578dbe7ab962c44a79daac108a9336e791

                                                              SHA256

                                                              b3d2c50e19cb90a661c586551f03ab9d6ec3b0bc6ab44e61415c0d5f1b838e05

                                                              SHA512

                                                              721bbad616231fff51000e2b2f1e8741b2bcbc0543896928ec1a5a77143756cbd93c55a9510a7780a88ebab7795641a9a128dc35eb4f68912c447b1f4959137a

                                                            • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

                                                              Filesize

                                                              741KB

                                                              MD5

                                                              2fbbf7bf54bc7501da0bf4256f510c3f

                                                              SHA1

                                                              31ce09b049432d902aa3c9c6356360bebe802749

                                                              SHA256

                                                              d8fc823ccd276ca09ba6b2388202b6627a64f6ff92d0cf47570c166020dacbc4

                                                              SHA512

                                                              556d4997306576cada90c5715e619a2527f40f7e424fde0efe181f6ec2698a5ead21bf5333a7a1e2eed95c43a5c442051d10d87ebb4046c9c6d592c0e7b38c99

                                                            • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

                                                              Filesize

                                                              1.2MB

                                                              MD5

                                                              c05bb37077cb577f5e6db5fdbf52af7f

                                                              SHA1

                                                              7525115320e8b88c73ca2a314f3ff470a3d76499

                                                              SHA256

                                                              e23bb0af48141c2164d614fa351209b4e1e9941a9a613b117057a2e1fa1abd0d

                                                              SHA512

                                                              7564b20bf0ce0d1c5c0ac7eb688cd58116bced47a5c957087310a939debc4922bce27fc5d7ea056e49776a169ef2b2a87a611776cdcc373802ed97c18250edf3

                                                            • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

                                                              Filesize

                                                              707KB

                                                              MD5

                                                              f06607ed24891f735f809a8379f739f9

                                                              SHA1

                                                              988d58d8250945a5a29646d386bc1ad6d787a70b

                                                              SHA256

                                                              d61a6e24fb66d0f28d5c6892910d7aa66c5ee61dd84acff77ba1f143f1bd0105

                                                              SHA512

                                                              2429c5d193920455a92f160a1847a91237e2225b68a64dee301ed42230252b32b7a224511b7040611240ad6457e2a4b2c02e404a00aafcaa99a974f28962a41d

                                                            • C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

                                                              Filesize

                                                              346KB

                                                              MD5

                                                              b1fdbcc8f7e1323b1ae74cc79e7b24b3

                                                              SHA1

                                                              03b12f34b8fcf39fa2c7f5610f8012991c28654c

                                                              SHA256

                                                              6c690ccdbf9fb013c9c4baae363c7ae397ea821fbab667a1a26dde0bc6f7f59c

                                                              SHA512

                                                              d91df905e36f2fc9a0990490ae1793dc6bf5896e4df5fa06d5c24c9a07028621a7ae123a04a98f0e2d36a10d1fdde98b4307f4cd15642174651405e2acfb63df

                                                            • C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

                                                              Filesize

                                                              3.1MB

                                                              MD5

                                                              662b7d9316e9ece81c1bb758ef1fcaba

                                                              SHA1

                                                              a24c80f9cd7dd4e6215defb640abd0a26f14e4de

                                                              SHA256

                                                              7f500246aec0fadc2a1b98c03ef9c51ad7a982f40d250be02e226c0186e59220

                                                              SHA512

                                                              ce4d4edc36d0f2cf19f944f205dbfc84264b9a7663d352e3b1b9e97ce692c53a5c9ef587fb56936887919e9b229070d5fd3fe00375c87db42914b2e841763e37

                                                            • C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

                                                              Filesize

                                                              2.2MB

                                                              MD5

                                                              367438b39d3e6e775036497c69c6246c

                                                              SHA1

                                                              b73461e5bdd466af00d57d07c22728bac322f65f

                                                              SHA256

                                                              125fd354ae4cd5b545c35bb75997189131fdffc0b46f4e9ece0a2c2075dc14bb

                                                              SHA512

                                                              57cf4a855dc32e9a1b83ef81ffb26e3ad4e6f09f79c0208cdead01188c40cb3e3e87199f9edd0c3aec383b79178cf67fc8f11786209e75b8e9af2878fd90d0b7

                                                            • C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

                                                              Filesize

                                                              1.6MB

                                                              MD5

                                                              0dd818d2fb073230a3a72333c61f9902

                                                              SHA1

                                                              5dcb3563d887ce28bacab5a7027fe055e20a82cd

                                                              SHA256

                                                              f901cec6bc29e552107f4a5ba735187681bc2cae56750f6b555956e486383f33

                                                              SHA512

                                                              9d1f60f8d83f7912707baa5593f6f8113f2b0cc293143ee5ab793d3b5c26ca342bb1eb5861912497c06932866f79593c4d829900d2ce68371acf9726eb0fc786

                                                            • C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

                                                              Filesize

                                                              1.4MB

                                                              MD5

                                                              e3fb8c6bc14ba6d7691d6510c4a1cc8e

                                                              SHA1

                                                              552144000009654622cbb405d4b956fbed05bd28

                                                              SHA256

                                                              3976e258a5c5151ae1ebe1af80ca58be4631f982007351e2c01bb261b01308c6

                                                              SHA512

                                                              95e2fe3c3a5f88cafe75710c35773730fd97863b84bda2b4dc4a808ea9960b353549f075d94b066d43512533fba947e3c8628c79936d1a0d33ebb490b6753df2

                                                            • C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe

                                                              Filesize

                                                              284KB

                                                              MD5

                                                              e474dda04f6f90ba50ebff47395b19c9

                                                              SHA1

                                                              db1dc005639d232a25e074267239fd9e5fcbe6c7

                                                              SHA256

                                                              d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef

                                                              SHA512

                                                              aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055

                                                            • C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe

                                                              Filesize

                                                              2.1MB

                                                              MD5

                                                              068db75101316d6596dfcac7d85a2a3f

                                                              SHA1

                                                              da92a2110c04537ee26b310366e7edcb1a45565d

                                                              SHA256

                                                              c05e91459daf1a52e713c813e875443667838094d7c03b04b6667642736aad74

                                                              SHA512

                                                              0f23eccad06f9cacca36e27ac35129afda1497cfc0d1267c3f48ddafa652d7266bb44aed1255cc8d1f8118c7fc7a0077e7674dc613a9c74969ace9d7d6dfe821

                                                            • C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe

                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              3ca2f625386f7a3ca29376148974fa64

                                                              SHA1

                                                              646443709518ef699bae4755b262370ff6e7fbcc

                                                              SHA256

                                                              25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4

                                                              SHA512

                                                              dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              968cb9309758126772781b83adb8a28f

                                                              SHA1

                                                              8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                              SHA256

                                                              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                              SHA512

                                                              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              611cb8ccde253e4f3bc65d2f322905b3

                                                              SHA1

                                                              fe4df19cc69115cdafe40898c22628e4b2810f68

                                                              SHA256

                                                              3d88bd0dbae70f6267c653f0713672d28d52914b022783741b2a539405117cc1

                                                              SHA512

                                                              f9cc4ea1d109f779b71c1a3b31b5f00570f024d1cb0cb0dbd51e5b8b6a0abff2a9d9bee627d2a7a69e05e375ad83116d0bbdc81a4385f5920bbe2b1cde267885

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              e14c0ab26986712248a8cbf2a55e0323

                                                              SHA1

                                                              1112de76af4b0f5f9e4374ca45f2d016470581c3

                                                              SHA256

                                                              1c787fb2b6264c7f6be3c9899690c0ea6de5632df8c0f36c73996104c8a09521

                                                              SHA512

                                                              78d9003fc4e6bb1811822045d119b45ba928c4e451f269ac1e03f4ac07a7a3d8061e9e297a09f2a60e17ecb8e0e8ed043eb0d71d3e00b03b4e45315045c4ab82

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              7b4d837fa82a59db9afc06a80b157deb

                                                              SHA1

                                                              3f7446a730059ea0d50d71e458bf1c74384416b1

                                                              SHA256

                                                              60c56e075d91b33bb92310aa483466ac038ddaaf92a12e0e1691722db6d3146f

                                                              SHA512

                                                              2f09e293e1deb2c8d15f240c797102bec134c5eec7e21d475f7cde605102193c82c53e1deb36cb6e7c0bbc283fbceaa37dbb6f2d8d572292897506a94bee1002

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              e93b5f6f5dcd769f05557f9453930640

                                                              SHA1

                                                              52d8ca01f7b4b0a1a993153f5c0ac33604ea858e

                                                              SHA256

                                                              7f489e52e5e6fe7ab6afd55d49fc90716010f313008d4a7deb21d0678c1dee2e

                                                              SHA512

                                                              d9a6a986204df8f64bbe6cf4af416f36259303bfc9edf5142def4719aea121c22d3ee25822d9b6fd6302d41234599899a70ae4de5a7d7065a3645abf6316f846

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              46c6d160fe941ee526213b55931f0e91

                                                              SHA1

                                                              b6d3553cc4528e942131105d19d0d2a714581e58

                                                              SHA256

                                                              152bcf977016bf079e47f20e716057fb7f4e772015802dd00d3eee7b1874f7c0

                                                              SHA512

                                                              2f695fc1a146f5fa64db746bc7cf81155cd78399d575576e07af9abcf3975e828ce0f2b6cc91b9f116eff034f2c5c4db4d9a1ea5cb0249753a572628c4db5766

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              260KB

                                                              MD5

                                                              b3624bc72696cead56ccc0b86e4bdda6

                                                              SHA1

                                                              d49d39705a3f8bd836b084acd72eee974c62d4f4

                                                              SHA256

                                                              e9b30abe493a9ff8b87e0c15b99fd0322736ca6f54fe13d453b6e416d8454fca

                                                              SHA512

                                                              abff8f4bfab43d951629cfd30cced1a5caccb54e5ca895474bcccff49359773e54e81185d2da5b4b9f8c72073be056d228613727fe0b7bd41d3c356b2c35caea

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              3.0MB

                                                              MD5

                                                              25c7b4c4349aa1d805e400a11a4806f9

                                                              SHA1

                                                              424f4329b643e3cc08a2153db5bedf9a13b56fd5

                                                              SHA256

                                                              8e3786c788981fc42e788744715d67e86e2c87acbe00a6e4831935c4de701861

                                                              SHA512

                                                              b40286933d8b1ab7f08c5731455fd44dcd2eac006a4528b6a20e047925b5e308d61162f1221e6e5ccefe41490ef2ceda01b42b0ffee033205aa6f8d1900fdaf1

                                                            • C:\Windows\windefender.exe

                                                              Filesize

                                                              1.0MB

                                                              MD5

                                                              7ca8d87366480bdee9964513a59627a9

                                                              SHA1

                                                              736db2077c4dd9097246964851f87f1a8dad39d1

                                                              SHA256

                                                              e3849569450d0409d855811fdf2cfd11dba45553ae7302711b42e06c342a05c3

                                                              SHA512

                                                              96fcb9c7854a4e03e875495ef3b4866513f0d8afddee5914a34851d3fd8d685ca73983a8503f33bf9033232795b34ddfc3aabeebe28ca53b4a44f0de23223e9b

                                                            • C:\Windows\windefender.exe

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              8e67f58837092385dcf01e8a2b4f5783

                                                              SHA1

                                                              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                                              SHA256

                                                              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                                              SHA512

                                                              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                                            • memory/552-444-0x0000000000400000-0x0000000000537000-memory.dmp

                                                              Filesize

                                                              1.2MB

                                                            • memory/552-446-0x0000000000400000-0x0000000000537000-memory.dmp

                                                              Filesize

                                                              1.2MB

                                                            • memory/552-450-0x0000000000400000-0x0000000000537000-memory.dmp

                                                              Filesize

                                                              1.2MB

                                                            • memory/692-157-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/692-281-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/692-155-0x0000000000400000-0x0000000000930000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/692-243-0x0000000000400000-0x0000000000930000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/736-131-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/736-135-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/1428-13-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1428-7-0x000001C53BF10000-0x000001C53BF32000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/1428-18-0x00007FF82D7E0000-0x00007FF82E2A1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/1428-15-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1428-14-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1428-12-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1428-11-0x00007FF82D7E0000-0x00007FF82E2A1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/1988-168-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                              Filesize

                                                              752KB

                                                            • memory/1988-211-0x0000000002100000-0x0000000002101000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1988-68-0x0000000002100000-0x0000000002101000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2392-20-0x0000000005450000-0x0000000005460000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2392-142-0x0000000005450000-0x0000000005460000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2392-119-0x0000000074870000-0x0000000075020000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/2392-10-0x0000000000400000-0x0000000000408000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2392-19-0x0000000074870000-0x0000000075020000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/3148-140-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/3148-137-0x0000000001B50000-0x0000000001B5B000-memory.dmp

                                                              Filesize

                                                              44KB

                                                            • memory/3148-163-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/3148-136-0x0000000001C20000-0x0000000001D20000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/3372-159-0x0000000002F80000-0x0000000002F96000-memory.dmp

                                                              Filesize

                                                              88KB

                                                            • memory/3612-156-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/3612-50-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/4024-73-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/4024-279-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/4024-63-0x0000000003E80000-0x000000000476B000-memory.dmp

                                                              Filesize

                                                              8.9MB

                                                            • memory/4024-62-0x0000000003A80000-0x0000000003E79000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/4024-158-0x0000000003A80000-0x0000000003E79000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/4024-160-0x0000000003E80000-0x000000000476B000-memory.dmp

                                                              Filesize

                                                              8.9MB

                                                            • memory/4024-297-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/4024-161-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/4088-154-0x0000000000400000-0x000000000043D000-memory.dmp

                                                              Filesize

                                                              244KB

                                                            • memory/4468-166-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                              Filesize

                                                              972KB

                                                            • memory/4468-250-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/4468-129-0x0000000001D50000-0x0000000001E50000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/4468-130-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

                                                              Filesize

                                                              156KB

                                                            • memory/4468-134-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/4468-306-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/4468-210-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/4468-244-0x0000000001D50000-0x0000000001E50000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/4468-449-0x0000000000400000-0x0000000001A34000-memory.dmp

                                                              Filesize

                                                              22.2MB

                                                            • memory/4732-219-0x0000000004E30000-0x0000000004E96000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/4732-294-0x0000000074870000-0x0000000075020000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/4732-275-0x00000000075B0000-0x00000000075BA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/4732-249-0x00000000072B0000-0x00000000072CA000-memory.dmp

                                                              Filesize

                                                              104KB

                                                            • memory/4732-248-0x0000000007910000-0x0000000007F8A000-memory.dmp

                                                              Filesize

                                                              6.5MB

                                                            • memory/4732-247-0x0000000007190000-0x0000000007206000-memory.dmp

                                                              Filesize

                                                              472KB

                                                            • memory/4732-276-0x0000000007670000-0x0000000007706000-memory.dmp

                                                              Filesize

                                                              600KB

                                                            • memory/4732-246-0x0000000002940000-0x0000000002950000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4732-245-0x00000000063C0000-0x0000000006404000-memory.dmp

                                                              Filesize

                                                              272KB

                                                            • memory/4732-277-0x00000000075D0000-0x00000000075E1000-memory.dmp

                                                              Filesize

                                                              68KB

                                                            • memory/4732-260-0x000000007F8F0000-0x000000007F900000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4732-273-0x0000000007460000-0x000000000747E000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/4732-236-0x0000000005F90000-0x0000000005FDC000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/4732-285-0x0000000007610000-0x000000000761E000-memory.dmp

                                                              Filesize

                                                              56KB

                                                            • memory/4732-235-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/4732-286-0x0000000007620000-0x0000000007634000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/4732-233-0x0000000005970000-0x0000000005CC4000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/4732-220-0x0000000004FA0000-0x0000000005006000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/4732-287-0x0000000007710000-0x000000000772A000-memory.dmp

                                                              Filesize

                                                              104KB

                                                            • memory/4732-218-0x0000000004D90000-0x0000000004DB2000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/4732-288-0x0000000007660000-0x0000000007668000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/4732-180-0x0000000005010000-0x0000000005638000-memory.dmp

                                                              Filesize

                                                              6.2MB

                                                            • memory/4732-176-0x0000000002940000-0x0000000002950000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4732-175-0x0000000002940000-0x0000000002950000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4732-172-0x0000000074870000-0x0000000075020000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/4732-261-0x0000000007480000-0x00000000074B2000-memory.dmp

                                                              Filesize

                                                              200KB

                                                            • memory/4732-165-0x0000000002870000-0x00000000028A6000-memory.dmp

                                                              Filesize

                                                              216KB

                                                            • memory/4732-263-0x000000006E230000-0x000000006E584000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/4732-274-0x00000000074C0000-0x0000000007563000-memory.dmp

                                                              Filesize

                                                              652KB

                                                            • memory/4732-262-0x000000006F0D0000-0x000000006F11C000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/4732-295-0x0000000074870000-0x0000000075020000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/5016-258-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-352-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-257-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-141-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-234-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-460-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-251-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5016-309-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                            • memory/5324-347-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/5324-457-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/5324-308-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/5324-433-0x0000000000400000-0x0000000001E16000-memory.dmp

                                                              Filesize

                                                              26.1MB

                                                            • memory/5324-307-0x0000000003AE0000-0x0000000003EE6000-memory.dmp

                                                              Filesize

                                                              4.0MB