Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

4

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    413KB

  • MD5

    d467222c3bd563cb72fa49302f80b079

  • SHA1

    9335e2a36abb8309d8a2075faf78d66b968b2a91

  • SHA256

    fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

  • SHA512

    484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

  • SSDEEP

    6144:0UorLrzMYSnDyTtDOYtf3J7+YZIPcrPJruPWeX2/e1Cw+GOpumhauZef6P5rwmx:0vcYZD17DMPWev1Cb3umhauZef6a

Score
10/10
amadeygluptebadiscoverydropperevasionloaderpersistencerootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 17 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 9 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Drops file in Windows directory
    PID:3452
  • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\1000091001\un300un.exe
      "C:\Users\Admin\AppData\Local\Temp\1000091001\un300un.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        3⤵
        • Drops startup file
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
          "C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:592
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
            "C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Drops file in Windows directory
            PID:4432
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5992
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              6⤵
                PID:2284
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  7⤵
                  • Modifies Windows Firewall
                  PID:4916
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:3276
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:5924
          • C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
            "C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3476
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:920
            • C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
              "C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks for VirtualBox DLLs, possible anti-VM trick
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:5700
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5996
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                6⤵
                  PID:4080
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    7⤵
                    • Modifies Windows Firewall
                    PID:4424
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  6⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4776
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  6⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4764
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe
                  6⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Manipulates WinMonFS driver.
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5684
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    7⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4296
                  • C:\Windows\SYSTEM32\schtasks.exe
                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                    7⤵
                    • Creates scheduled task(s)
                    PID:5664
                  • C:\Windows\SYSTEM32\schtasks.exe
                    schtasks /delete /tn ScheduledUpdate /f
                    7⤵
                      PID:5516
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      7⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5616
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      7⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1900
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      7⤵
                      • Executes dropped EXE
                      PID:2748
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      7⤵
                      • Creates scheduled task(s)
                      PID:5388
                    • C:\Windows\windefender.exe
                      "C:\Windows\windefender.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:6016
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                        8⤵
                          PID:2284
                          • C:\Windows\SysWOW64\sc.exe
                            sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                            9⤵
                            • Launches sc.exe
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5836
                • C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
                  "C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2912
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1788
                  • C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
                    "C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe"
                    5⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Checks for VirtualBox DLLs, possible anti-VM trick
                    • Drops file in Windows directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:4364
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      6⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6008
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                      6⤵
                        PID:4800
                        • C:\Windows\system32\netsh.exe
                          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                          7⤵
                          • Modifies Windows Firewall
                          PID:5060
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        6⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5320
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        6⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5168
                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    "C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe" --silent --allusers=0
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Enumerates connected drives
                    • Modifies system certificate store
                    • Suspicious use of WriteProcessMemory
                    PID:3984
                    • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                      C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6fdc21f8,0x6fdc2204,0x6fdc2210
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1480
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe" --version
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:4800
                    • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                      "C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3984 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240326012909" --session-guid=92242c2a-ed5f-4157-b360-481320ce9188 --server-tracking-blob=YzU1YmQzZTliOWU3ZjBlNDg3YTIyZjY1YjA2MzdkZDc1YzBhZTIzYzNlNmYyZjYwYmNiMWFmNzllODFmYzgxNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTQxNjU0Ny4xNjE0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJkMTBiOTkyNS0zMjZjLTRmMjEtOTdkMi1iNTY2OTE4MDg3NTQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=DC04000000000000
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Enumerates connected drives
                      • Suspicious use of WriteProcessMemory
                      PID:3240
                      • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                        C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6f1421f8,0x6f142204,0x6f142210
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:4648
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                      5⤵
                      • Executes dropped EXE
                      PID:5400
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe" --version
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:5712
                      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x710040,0x71004c,0x710058
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1664
                  • C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe
                    "C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe"
                    4⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Drops file in System32 directory
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:60
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                2⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:5368
                • C:\Windows\system32\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                  3⤵
                  • Blocklisted process makes network request
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:5428
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show profiles
                    4⤵
                      PID:5504
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6000
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
                  2⤵
                  • Blocklisted process makes network request
                  • Loads dropped DLL
                  PID:2584
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                1⤵
                  PID:3588
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                  1⤵
                    PID:3500
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    PID:6060

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Scheduled Task/Job

                  1
                  T1053

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Scheduled Task/Job

                  1
                  T1053

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Scheduled Task/Job

                  1
                  T1053

                  Defense Evasion

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify System Firewall

                  1
                  T1562.004

                  Modify Registry

                  2
                  T1112

                  Subvert Trust Controls

                  1
                  T1553

                  Install Root Certificate

                  1
                  T1553.004

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Credential Access

                  Unsecured Credentials

                  3
                  T1552

                  Credentials In Files

                  2
                  T1552.001

                  Credentials in Registry

                  1
                  T1552.002

                  Discovery

                  Peripheral Device Discovery

                  1
                  T1120

                  Query Registry

                  6
                  T1012

                  System Information Discovery

                  6
                  T1082

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Lateral Movement

                  Collection

                  Data from Local System

                  3
                  T1005

                  Command and Control

                  Web Service

                  1
                  T1102

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    3d086a433708053f9bf9523e1d87a4e8

                    SHA1

                    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                    SHA256

                    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                    SHA512

                    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    95e523caac223aac8420d006025dbc14

                    SHA1

                    3428cb1a4796d5720e67f1d70b56a20b29c1b7ec

                    SHA256

                    7cea2599974d6e840f5ca176f90001dbe7e4f64e47a7dc2dae515b4b470e2bba

                    SHA512

                    c8a3aee8e8f6b8cb51a4a5ff8d6ae8424b34d2ad8b57340f28c14f63f1bc24e03643a23255c4bf78df9e1e3475e5ffebafb4726b50ce4b88e2461b29badd80ad

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                    Filesize

                    2.5MB

                    MD5

                    20d293b9bf23403179ca48086ba88867

                    SHA1

                    dedf311108f607a387d486d812514a2defbd1b9e

                    SHA256

                    fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                    SHA512

                    5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe
                    Filesize

                    1.9MB

                    MD5

                    b3f05009b53af6435e86cfd939717e82

                    SHA1

                    770877e7c5f03e8d684984fe430bdfcc2cf41b26

                    SHA256

                    3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

                    SHA512

                    d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\dbgcore.DLL
                    Filesize

                    166KB

                    MD5

                    8b6f64e5d3a608b434079e50a1277913

                    SHA1

                    03f431fabf1c99a48b449099455c1575893d9f32

                    SHA256

                    926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

                    SHA512

                    c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\dbghelp.dll
                    Filesize

                    1.7MB

                    MD5

                    925ea07f594d3fce3f73ede370d92ef7

                    SHA1

                    f67ea921368c288a9d3728158c3f80213d89d7c2

                    SHA256

                    6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

                    SHA512

                    a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\opera_package
                    Filesize

                    8.1MB

                    MD5

                    407f9d4f7a6112f056a8bb7198dbc521

                    SHA1

                    edec58ebe573724325139a25322678a029f4a71f

                    SHA256

                    fd3f43ac261a25eb2cc6231998a2d1227ba59011be2cfa5e3d0b3269eb38554a

                    SHA512

                    8d42470e9044d009d1d99ef3448a2c6246d091af6f47295bc362e8261177cf311e30c6f2a811d2fff856c107710bae22cab6950d7472c16aeebb004689a1054c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    960KB

                    MD5

                    b0b3efa48df9e27c04fbbc1671f21ded

                    SHA1

                    c70cc984b46e3dcc219f581d9f261537b8fc3dd0

                    SHA256

                    6428a93acf31b4015c242cefbc93d71a8920c11fa90798145736762460a3ea2a

                    SHA512

                    c827d07e7d7a12a456abb4cfaac93b56404a0fb93e79f63180be731717c9f3b2baf36a098ec608d3ca8629cdd75485deb058626b11e84049055bfdb84096adc5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1000091001\un300un.exe
                    Filesize

                    4.1MB

                    MD5

                    8803d74d52bcda67e9b889bd6cc5823e

                    SHA1

                    884a1fa1ae3d53bc435d34f912c0068e789a8b25

                    SHA256

                    627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

                    SHA512

                    c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
                    Filesize

                    413KB

                    MD5

                    d467222c3bd563cb72fa49302f80b079

                    SHA1

                    9335e2a36abb8309d8a2075faf78d66b968b2a91

                    SHA256

                    fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

                    SHA512

                    484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129095013984.dll
                    Filesize

                    1.3MB

                    MD5

                    5b7750160c2fd0381a655cde5f69c124

                    SHA1

                    93c373652aaf69155622a515a29f89095d539e45

                    SHA256

                    6642a85184eec3fdb0f9ab26b5b58ef453d6a612f20938b10125dea83326de7c

                    SHA512

                    41615c4eca3c8ebf948036fdd7ce352a84cde04816987832f9d36831af97b02ac933ab5bf21074670bfc0a9ef9fa91de0ae06ce84fd5a223a6797561bcca9545

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129096241480.dll
                    Filesize

                    969KB

                    MD5

                    2d0d87231cb35b21c6cb173bf374be88

                    SHA1

                    c7029f19867172baab9118c24b8036aa16f718f0

                    SHA256

                    444a27d475285af141ada3cec2572e7c09b149e47998b2a8342f2306bc7c97da

                    SHA512

                    33aa607e8635433f5eb3e68bcb1558f2be083d0facdcbc500fc38c319c5518782345a7ced71a84565466225ada6dce63c0e34c364a00937bffa45457a3ccdb11

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129098054800.dll
                    Filesize

                    980KB

                    MD5

                    766a1567762332c8e23c4b8e74699ff4

                    SHA1

                    40e4d676e7a82a0efd8a231b3f9375d8a4eb1325

                    SHA256

                    a2aa6427f15a1db06a27d7ccf210416e4a4d1eb56fdea560cf88dfd180dc47e3

                    SHA512

                    4aa784dd5f56c7ae2444b72295b956a0c9e1f4e28ef3aa72b567a2c6330fcfc31022a61e21a32611fad450531db4eed5248afa2239156f5fe8768e05c2b9614d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129098054800.dll
                    Filesize

                    865KB

                    MD5

                    2e4fe8984b1d1fd3b500be1bd1704721

                    SHA1

                    201b57ae48307d9e7c7ae5a15e3208b2dc7dbfd5

                    SHA256

                    955f197ed3f1d06df6d5439680132900f6d964d613521982e9da5abf1cbe30f4

                    SHA512

                    e48227131175e585c55c9664cce9990a5d145d1152d72541527a6f650ee6426d7e04d5c70972b3f7165f2cef0c6c297ea06b234ace53678c3ec86dce2c6c1459

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129099993240.dll
                    Filesize

                    912KB

                    MD5

                    e62e4bf1326d4660a4ef76e0973f58fb

                    SHA1

                    3b945a6b93fe793345a5e8860e1c1e587832f97a

                    SHA256

                    8a20ddb665e8592a683d1c028a9d87ef87f712a3cb38659e0a59b582efaeb769

                    SHA512

                    8469ba1173f3e99ecd5825a0ba413cd85cd12194c8ba60b78f426eb559f46512a3ab7636916acf025a1c313bcb02652eb331bf4e8dbf9991f3f6ecc4811683c2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129100624648.dll
                    Filesize

                    640KB

                    MD5

                    d3edf5bfea32dd835282ef83bd2e79c9

                    SHA1

                    7f18ab500f5d846eceb47fd47d12010d1b74d84d

                    SHA256

                    6d9eb448f00b0764b7f383bafb72198b5dc7f4b34e690ff18a07052f4b714637

                    SHA512

                    e261222841709e3a5b63ad248a9f67e7e82ccc754493e8d2ddf1b8ab4f36d84b98d1cf8ac3d706c620cebdecf5576dc237a121b34f5adc6824abe1a0c79c2f0f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmhye4ic.r5x.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    Filesize

                    281KB

                    MD5

                    d98e33b66343e7c96158444127a117f6

                    SHA1

                    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                    SHA256

                    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                    SHA512

                    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
                    Filesize

                    40B

                    MD5

                    d201b8aee0ffb9d9049bc551abc46d64

                    SHA1

                    133b078d61d079f8d8ae57b6789b49dedb883c90

                    SHA256

                    ae3fdba7f1a41d435f46791af76f8c720b17d13ce3c44a8c395daf5f87148d81

                    SHA512

                    8d31231e7d4ab10dd686c5b870f26485348863739f58bdf3b5cd2807109d0fef1030c250d4a11d794c1a57a0a00cbfc1691f0d12e2cb45f16b2a88cce105834f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
                    Filesize

                    109KB

                    MD5

                    154c3f1334dd435f562672f2664fea6b

                    SHA1

                    51dd25e2ba98b8546de163b8f26e2972a90c2c79

                    SHA256

                    5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

                    SHA512

                    1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                    Filesize

                    1.2MB

                    MD5

                    f35b671fda2603ec30ace10946f11a90

                    SHA1

                    059ad6b06559d4db581b1879e709f32f80850872

                    SHA256

                    83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

                    SHA512

                    b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                    Filesize

                    1.0MB

                    MD5

                    b0977410c4aebed9c773892b952b512f

                    SHA1

                    dbb2c2234c0ac3dbf9a6a83791750d7d9b640e29

                    SHA256

                    e8570b1ea127178b358a7de0d6ecedf89eaa8f8698392bd27161e4cc671da362

                    SHA512

                    829d583b72080077dc311ada553890484904056321311d566b055f950950dbe95110c5efeb1031466305edb9cfcfc11d986a2e75a535fd420d670030157bf00f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                    Filesize

                    994KB

                    MD5

                    a317ff918eb4339af25002952b367f7a

                    SHA1

                    e9734b1abf485a990f3ce753682f213bcf7c36f7

                    SHA256

                    a81c471017effba5f932cb65c609e29aafcfb73aca47acc775a4f88d55c7cdb0

                    SHA512

                    3ea62fcba5a07b21beeda8f6dea447d35dd3c034abee2bdfa1b3df740d012cf8ef0eafb05e10be50bc38c87f74855ee68ae0aa054ef6bda60537d4b6c309a637

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                    Filesize

                    1.2MB

                    MD5

                    6f05b6e9be788120933b83f9ff72f046

                    SHA1

                    34b8ad78ecae26322cb67c9a06b58018a250640a

                    SHA256

                    cf08f06de9a442491c48f3c158556f106f11942ace061195b9b0c936288749ec

                    SHA512

                    9c78666e95a66b8d1e1c1efb6c17257801169f4015e5ea73df0e65d7271872918f0b673f4a51528e3186d0d56f753576d59ac4560dd70701280d271678639c4f

                    Download Submit

                  • C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
                    Filesize

                    1.6MB

                    MD5

                    5c7a49ab917745dcd77eb9ab1b6d5c71

                    SHA1

                    7810b368471b1d8baf4df7207e7f996533258508

                    SHA256

                    e0565478f501d8028fa601399f5d598a136747d1d645483bf2c974087593457a

                    SHA512

                    df2f0dc30bc34f7218c7e9fa42004d3e9e7ceefb0a7c09454773a5f222c7f345de854583d1e1c0fe4ebd696d83e4efbc077a8a28a791e0f85a31316a4fa4b37c

                    Download Submit

                  • C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
                    Filesize

                    1.4MB

                    MD5

                    c205b8026ea20e76151ab617b7504921

                    SHA1

                    95dc96e68af7c8ff9f2689d2d3328d8ba9e4fd31

                    SHA256

                    c9084c6b48175fbc19b1a7e2bf1a197296d9f3013efec593e2bff68097fc9290

                    SHA512

                    73b67f83bd66b4a8c8368621edd3736281b835ff77380eee403e2b8ab92715722b385dffc1d11ce4c7279f3d5fec417b5645494fe51d4d0066a6a223acf219cc

                    Download Submit

                  • C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
                    Filesize

                    1.3MB

                    MD5

                    dee8eb90b51bdf00af484072ad743c62

                    SHA1

                    23f40281f1502cfdfddea8e8a0631e641c37e8a8

                    SHA256

                    34694302c8a726be524070d70af78be6e0894e8ca8e0600a854e4bc371b9e527

                    SHA512

                    a86b79ac22e689f4b249feb5dc0a4a7c4d9badf2e0988c6af0846ab52a90b5cd7989325d9d3e4bfb77280e5cdf2ee1f3dc426743ff03f7c2cae11f64b50b554e

                    Download Submit

                  • C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
                    Filesize

                    1.2MB

                    MD5

                    7c358ffa5eec3685abb86214b3eaefbc

                    SHA1

                    b7871f8e62b0fa7e026f9bf0e7fc27826ea44d35

                    SHA256

                    2da66febbd915a1bf7c0763d199d51dd6f9c030c1983a641ac6b4465a7b3b45a

                    SHA512

                    eb81cbf37158a790eee44c8c9c8624a78698669304bdd08e810c987d92eafc4b17a2ad7dbc43d1db50884dbb09b91680a6c1e1a9c5bd23c0504ba083e66baeb9

                    Download Submit

                  • C:\Users\Admin\Pictures\928bRb1JmS4sUtGXt1c5xOjO.exe
                    Filesize

                    7KB

                    MD5

                    5b423612b36cde7f2745455c5dd82577

                    SHA1

                    0187c7c80743b44e9e0c193e993294e3b969cc3d

                    SHA256

                    e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                    SHA512

                    c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                    Download Submit

                  • C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe
                    Filesize

                    492KB

                    MD5

                    553b5636aabaffff3589612862e1e110

                    SHA1

                    3b2f837cf09fe1c685050bfeea3c6ab92e2748a8

                    SHA256

                    bfedc6e4052e841a0da52618d371beb06d29d370d3a9de5c41ff5cac545ad6a9

                    SHA512

                    13ff05e65937f104fdc77d44fb22b9a195d2faf227a65dcbe735d9201da9187d714edd084d21ff8167a01e889768d6e2688bc923a122af57f2c00ec093c93d3f

                    Download Submit

                  • C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe
                    Filesize

                    495KB

                    MD5

                    fb61d88e515be87617b3cca551ec6103

                    SHA1

                    f1e7c28f9e632498af122b868e554fddd49ae5a1

                    SHA256

                    b084ecef366211753006a93069d98a0ec36c2f3447966aa4bfd0af1abd207f37

                    SHA512

                    c040ae036180373ade687cddda08676f080ebb33b830399e9a704a7d50316c4fdea192ebaa6ee86a7bdafecf60004da938e86c8e2b2b5651948453296b580654

                    Download Submit

                  • C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
                    Filesize

                    4.2MB

                    MD5

                    16ba0152d22360d4e1c2b782cde6dc52

                    SHA1

                    26a0cbce35fbd6ed02ff8d59e59656ecfd799da1

                    SHA256

                    28048e60571fa0ae2c5703a500f9b83d7427c376a6d44b13bf2d13df26c6a9e5

                    SHA512

                    7b3fb5c0065ae788a86f5ae439f6ad1f6bbb38b1f9039077f73fed84d57282bf331118a88eed5750c44a781a7ff231d2297e333d22b8e03353987513d0bb56e5

                    Download Submit

                  • C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
                    Filesize

                    3.9MB

                    MD5

                    7db27ef22b49b8bab99285cd9447c700

                    SHA1

                    1be93278e97954d8634d77c04b752d3c521b59ac

                    SHA256

                    279920c847e2abb523eb7a51979b48b5007e818f4b24e8d64da2649717a868f9

                    SHA512

                    f89688bbc7ef95fdf3e556d64dca93371000bffe8e54205c43ae3f1de504735e7358326cc43b6039ad2836f6a8a7855f54c771f049e0a709a289d94d6bd1c66e

                    Download Submit

                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    1024KB

                    MD5

                    e5b17b4bfb9ac31189176e4f0965a626

                    SHA1

                    f9ded3ec7297625c343e1ec05dbe2a554076f193

                    SHA256

                    176f88a7023bcd2c146a6187c14854bd57f8cd13637ad97cb39f5f6d0c8b8a6b

                    SHA512

                    6e74344a5b816ac119a6988d148e1701effd29dde9705109976f42d559b867bd8d77096f50cc7eadb59aa656bf4b25440f2c3fcc6da54dba04146b411c1ce4c3

                    Download Submit

                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    740KB

                    MD5

                    3eca91b2667fbf2e9350e4d35e7237b2

                    SHA1

                    12be2e5913109dc714b825dd37a374be34a4d43b

                    SHA256

                    61bdd4bda3fe7b93a29967d736f28e62bd995f5bd73e3e587c49ce9544bbe43a

                    SHA512

                    f2f04f9188833ae1c3898bc08a56f9ab786bb1a0b043ba4f93c6ab68f33922bf47a358d40fb292f5cd9db54561d6e08b52f04b294d8ebb422d6251a172b49075

                    Download Submit

                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    453KB

                    MD5

                    a8cd93fb0f394bf64944e8a39dc83599

                    SHA1

                    8a4b241e3fd9bd11ba3595281071dee46b2cdcc0

                    SHA256

                    970aa2bde6d138aaafe3d88090c24270a1251ae3c09ff843dc1e17cbd0cfe131

                    SHA512

                    58fb245feff9fc35d79b6126e3b9969f5edc76f84dfa92b599f0404049425cd4083aa8d34f204965487c28cac2199f0e89678f619e00f3d57949b3b56ef51538

                    Download Submit

                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    1.5MB

                    MD5

                    4ea6fa7640a56bd0d60752973db8e570

                    SHA1

                    0fe8f6b54933928aea3ddb464bd941bf7c6d7897

                    SHA256

                    a88caaf2fef9a27fdcf544f5d2d67878be90a44302846d36c1fbb0239b88c1a0

                    SHA512

                    b52de46d170c2d854df073071ee5291bd2eb8eb6f1e24dea529a68cfa55df304584718de0c2e47f961ab3de4e58f3f0aa40efcd4f5650d3adab90a8cf9601eb7

                    Download Submit

                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    2.2MB

                    MD5

                    0059606018fbabe4f419e9f8de405052

                    SHA1

                    de065854167171fb7bce13545cea2b55ba39bbe8

                    SHA256

                    2954d6d8803cdd198d28a8b120926f8af0feece16aec32e26f50658e471d3adb

                    SHA512

                    8f11b3d17b6c502adb4b6a03a955d54289394fd73016782a76d39805b75c13c018835de459df35c3a99393422ec4ec643787b1b1192f35b7592ff5445a2bb185

                    Download Submit

                  • C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
                    Filesize

                    1.2MB

                    MD5

                    bc6089c5d8d5758596df7bbfd85a4275

                    SHA1

                    52939c774425f55c659a040d119d19c328270be5

                    SHA256

                    fd8f64dd5a53a97eb21eca39c3068db0c8ee2c72a61696bb45f48ff870827b82

                    SHA512

                    29293d1a22bf4d95dc4fa910f979cc9d43e44a71af31be8073bf53d2c938e3b461aca6f9498a53a46fe6645322d0ed789651aba6a7685a85f44556f3fbddc3b4

                    Download Submit

                  • C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
                    Filesize

                    1.2MB

                    MD5

                    f40198d55c9b6975ca69d55880731d53

                    SHA1

                    f1fb87242191c30e998af41815cabdb90b6bb055

                    SHA256

                    d549f4ee639de44d4295e2c6aec22185bc622b57ab2f7de1a9b5a0517da3eedf

                    SHA512

                    55501159a6df40a6d6a530ae58144a03465be1577de2363dd288147b6ffaea843f62c139acb703c8c9a002aa3a18bdc01447c94afc07e4ecbf8ca6a7b53a564d

                    Download Submit

                  • C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
                    Filesize

                    2.3MB

                    MD5

                    0c77b2322dc46452aab82b72755fb83d

                    SHA1

                    675cfa35dee3117e63d5f3eb7c0fd732ccc0e29e

                    SHA256

                    41d9e0419e5233880417a0ed556cc1c7956dd212112ca9a54aa45278806c10f4

                    SHA512

                    97745386a30e1f40e38976b907cc850aab6044bdd6e99361a769294bacb9804298399e71ca32600c628fdd4fedb8d092b7736ab20998078da79f8a981d6f0217

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    255b49b4a1e6d098679f40284dab170c

                    SHA1

                    1200b25858d07c98026cd51fa1b06007cbe2d9dd

                    SHA256

                    5f673d7a1a72554c114a4239d207166f0e673bc9a498964c897c0ea80d381b17

                    SHA512

                    7e4b23e9d63a98f1061009aef2df521b6e3380bcf0a7ff53e042a38df34b707031fdca7b7df007a752b1c6885576f07d33c6091e52a9d229df246e3375ad529c

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    9e614a2d3ddf8a7001bfbe8dbeecacb1

                    SHA1

                    64fc7db1a777d6921ba8c54b24255945affb0b1a

                    SHA256

                    7afb174aafd0f7cdeb1de3444585ccd6170fc36075bf1d4ce9aa5c9b33f8cf5e

                    SHA512

                    10308cb3b4d67dba399816f095e078de67308a3645ad741795643aaf05a1ea08e83dd08697f063e59077c42c9f236357f8ba0efaa2802f443f3d63674ba14a88

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    92973bb42d168b7cd86c8fefdf9a2c2e

                    SHA1

                    f5bc2a95de12893af3cbaad35548f623af2e7e8e

                    SHA256

                    adf68667884b6cb33fde70bd9e52a705ac59176ba2ffbc3d33214dba66dd8931

                    SHA512

                    e4c6d736926cfb43a18264a56224c14342d7a52babf930a1df13ce710cee0b20210850f0b4fca0ab0d9894e223951ebbaad5232157f35a0994a8248e0ff87637

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    c9333eecddb685bf635eba4da80da705

                    SHA1

                    ad7c7bf1b0b9027398bd01283495dcf2e5905a8f

                    SHA256

                    103be9f97391cbc9eaad1946a7dcc973f4faf2b9da7410c1a7bd9b3420c04306

                    SHA512

                    cb19c406d962b9066bbccd44cdadee987718c3c0537ed7d1763599cdb3968b1e5df78b6e54a751359d4b464a824e5559da51eab469f6779309adc408d3dd53e5

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    71c556753ba1890a888adf0897a7a5ad

                    SHA1

                    c17d921dd596c227c4483d1973f213596ba94b3b

                    SHA256

                    39873a423f61ec6fce8216f85a069920156751b5b738e93868d400bbe927a1e4

                    SHA512

                    911242009c776614af00965148d134a4c2a7c4e89035ef1ffe98eff3a64d967d46351d24428fd4bbb4328cd22b52f12e041acfe5aba4b8444c192b0c6ed4a890

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    6b4ae908ea9513d55e422c89d817dc9a

                    SHA1

                    fa0aa7a397a6a65f7e5455eda99ceca2fa7165ba

                    SHA256

                    552267dc75d58ccd7f2a95c398b151e755db41aba826c265aa28145f9af3d664

                    SHA512

                    d636d526459e9cb6c8af6c10a80ef43f2fc902b41350f9618b1d4d7c074be40094e57a2c94ce8a23cc5ca0f3823ce842f2e05c5d5b566035a5d4089e183aaff9

                    Download Submit

                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    7a636389abf85cbc2ce06b3ac5ffb098

                    SHA1

                    6407a5ec22f534e42f77f373178c044b1db87f7a

                    SHA256

                    cdff3bf27a0fb8ab99ec0b81b8a78a2ec7545a1680f307cfe30fd06e2ce4bf63

                    SHA512

                    e232e90d4df9196f3d19904aba5d77730051bcdba3c6c9208e6ebeb377a55e283373209f8f8b951859704d7038f015d23a92f4920ee252bd5baec6789b1ab8d0

                    Download Submit

                  • C:\Windows\System32\GroupPolicy\gpt.ini
                    Filesize

                    127B

                    MD5

                    8ef9853d1881c5fe4d681bfb31282a01

                    SHA1

                    a05609065520e4b4e553784c566430ad9736f19f

                    SHA256

                    9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                    SHA512

                    5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                    Download Submit

                  • C:\Windows\windefender.exe
                    Filesize

                    2.0MB

                    MD5

                    8e67f58837092385dcf01e8a2b4f5783

                    SHA1

                    012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                    SHA256

                    166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                    SHA512

                    40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                    Download Submit

                  • memory/60-154-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-144-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-151-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-300-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-146-0x00007FFD20C90000-0x00007FFD20F59000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/60-149-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-141-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-169-0x00007FFD23150000-0x00007FFD23345000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/60-148-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/60-147-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-143-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/60-145-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/60-150-0x00007FF639050000-0x00007FF639A67000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/592-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/592-174-0x0000000002AF0000-0x0000000002EF5000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/592-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/592-470-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/592-73-0x0000000002F00000-0x00000000037EB000-memory.dmp

                    Filesize

                    8.9MB

                    Download

                  • memory/592-70-0x0000000002AF0000-0x0000000002EF5000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/920-275-0x00000000070D0000-0x00000000070DA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/920-231-0x000000006DFF0000-0x000000006E03C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/920-176-0x0000000004880000-0x0000000004890000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/920-271-0x0000000007060000-0x000000000707A000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/920-272-0x000000007EFF0000-0x000000007F000000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/920-269-0x0000000007680000-0x0000000007CFA000-memory.dmp

                    Filesize

                    6.5MB

                    Download

                  • memory/920-177-0x0000000073A70000-0x0000000074220000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/920-233-0x000000006E040000-0x000000006E394000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/1480-105-0x0000000000EB0000-0x00000000013E8000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/1788-170-0x0000000005210000-0x0000000005220000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1788-270-0x000000007F700000-0x000000007F710000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1788-229-0x0000000006840000-0x000000000688C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/1788-230-0x0000000007650000-0x0000000007682000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/1788-167-0x00000000030D0000-0x0000000003106000-memory.dmp

                    Filesize

                    216KB

                    Download

                  • memory/1788-172-0x0000000073A70000-0x0000000074220000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/1788-171-0x0000000005850000-0x0000000005E78000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/1788-245-0x0000000006980000-0x000000000699E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/1788-256-0x0000000007890000-0x0000000007933000-memory.dmp

                    Filesize

                    652KB

                    Download

                  • memory/1788-175-0x0000000005210000-0x0000000005220000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1788-295-0x0000000005210000-0x0000000005220000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1788-189-0x00000000057E0000-0x0000000005802000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1788-232-0x000000006DFF0000-0x000000006E03C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/1788-234-0x000000006E040000-0x000000006E394000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/1788-205-0x0000000006110000-0x0000000006176000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/1788-209-0x0000000006220000-0x0000000006574000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/1788-228-0x0000000006680000-0x000000000669E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/1788-207-0x00000000061B0000-0x0000000006216000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/2472-206-0x0000000073A70000-0x0000000074220000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2472-276-0x0000000002E90000-0x0000000002EA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2472-278-0x0000000002E90000-0x0000000002EA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2472-277-0x0000000007DE0000-0x0000000007E76000-memory.dmp

                    Filesize

                    600KB

                    Download

                  • memory/2472-208-0x0000000002E90000-0x0000000002EA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2472-290-0x0000000007D40000-0x0000000007D51000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2472-257-0x000000006DFF0000-0x000000006E03C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/2472-258-0x000000006E040000-0x000000006E394000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/2912-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2912-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2912-472-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2912-75-0x0000000002BC0000-0x0000000002FC4000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2912-202-0x0000000002BC0000-0x0000000002FC4000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2912-76-0x0000000002FD0000-0x00000000038BB000-memory.dmp

                    Filesize

                    8.9MB

                    Download

                  • memory/2912-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2924-26-0x0000000073A70000-0x0000000074220000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2924-25-0x0000000000400000-0x0000000000408000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2924-168-0x0000000073A70000-0x0000000074220000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2924-173-0x0000000004E70000-0x0000000004E80000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2924-27-0x0000000004E70000-0x0000000004E80000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3240-137-0x0000000000EB0000-0x00000000013E8000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/3476-91-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/3476-200-0x0000000002A20000-0x0000000002E26000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3476-471-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/3476-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/3476-74-0x0000000002A20000-0x0000000002E26000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3476-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/3984-95-0x0000000000EB0000-0x00000000013E8000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4364-578-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/4364-661-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/4432-691-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/4432-734-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/4648-140-0x0000000000EB0000-0x00000000013E8000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4800-113-0x0000000000720000-0x0000000000C58000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4800-110-0x0000000000720000-0x0000000000C58000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/5684-785-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/5684-802-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/5684-811-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/5700-635-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/5700-579-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/6000-288-0x0000026C12120000-0x0000026C12142000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/6000-292-0x0000026C12100000-0x0000026C1210A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/6000-291-0x0000026C2AEE0000-0x0000026C2AEF2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/6016-801-0x0000000000400000-0x00000000008DF000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/6060-812-0x0000000000400000-0x00000000008DF000-memory.dmp

                    Filesize

                    4.9MB

                    Download