Overview

overview

10

Static

static

1

95442c887f...2e.exe

windows7-x64

1

95442c887f...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

  • Size

    404KB

  • MD5

    15ce9e885610d5b85500ea0d139f6d21

  • SHA1

    99f1392185a70453f33e15d6f5b75064217c2c18

  • SHA256

    95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e

  • SHA512

    9ee8e3fb682cf7abb5804106f841551f2f0fd8ace9842e67f3bda573772d39a6482d19e853de5a9a48d177350a3398cb814105ced01fdfb1be6db7e8bc9055b9

  • SSDEEP

    6144:/IJTLRoSz47P8DiLdwXQIPcnEPjj9tQPBBpRPZi9opzUeqcnoKPcmPuJkJ:wlRoSz4j8DM6gIxfUP+2Ye9oCcmf

Score
10/10
gluptebastealcdiscoverydropperevasionloaderpersistencerootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Detects Windows executables referencing non-Windows User-Agents 21 IoCs
  • Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 21 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 21 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 21 IoCs
  • Detects executables packed with Themida 2 IoCs
  • Detects executables packed with or use KoiVM 1 IoCs
  • Detects executables referencing many varying, potentially fake Windows User-Agents 21 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 10 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
    "C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1084
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\Pictures\KUtA0iRzg925CZuDgGEAq0cv.exe
        "C:\Users\Admin\Pictures\KUtA0iRzg925CZuDgGEAq0cv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3212
        • C:\Users\Admin\Pictures\KUtA0iRzg925CZuDgGEAq0cv.exe
          "C:\Users\Admin\Pictures\KUtA0iRzg925CZuDgGEAq0cv.exe"
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3744
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              6⤵
              • Modifies Windows Firewall
              PID:368
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3960
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3556
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2296
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2400
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              6⤵
              • Creates scheduled task(s)
              PID:4956
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              6⤵
                PID:1156
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3012
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2992
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:4980
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                6⤵
                • Creates scheduled task(s)
                PID:808
              • C:\Windows\windefender.exe
                "C:\Windows\windefender.exe"
                6⤵
                • Executes dropped EXE
                PID:4164
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  7⤵
                    PID:1248
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      8⤵
                      • Launches sc.exe
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3448
          • C:\Users\Admin\Pictures\5TNHvZSkZLk8VtwM0lC3LFLU.exe
            "C:\Users\Admin\Pictures\5TNHvZSkZLk8VtwM0lC3LFLU.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4396
            • C:\Users\Admin\AppData\Local\Temp\u3e4.0.exe
              "C:\Users\Admin\AppData\Local\Temp\u3e4.0.exe"
              4⤵
              • Executes dropped EXE
              PID:4720
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1016
                5⤵
                • Program crash
                PID:532
          • C:\Users\Admin\Pictures\CjNsZwbxq7l5MZje2GVxIAqg.exe
            "C:\Users\Admin\Pictures\CjNsZwbxq7l5MZje2GVxIAqg.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3732
            • C:\Users\Admin\Pictures\CjNsZwbxq7l5MZje2GVxIAqg.exe
              "C:\Users\Admin\Pictures\CjNsZwbxq7l5MZje2GVxIAqg.exe"
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks for VirtualBox DLLs, possible anti-VM trick
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1440
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4340
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3952
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  6⤵
                  • Modifies Windows Firewall
                  PID:3728
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1144
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4524
          • C:\Users\Admin\Pictures\pAVeI18RsCEAuLRXNxUXFGEq.exe
            "C:\Users\Admin\Pictures\pAVeI18RsCEAuLRXNxUXFGEq.exe"
            3⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:2336
          • C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe
            "C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe" --silent --allusers=0
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates connected drives
            • Modifies system certificate store
            PID:4532
            • C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe
              C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a8,0x2ac,0x2b0,0x288,0x2b4,0x6f1fe1d0,0x6f1fe1dc,0x6f1fe1e8
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2084
            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3SoEfz9cn0E25HPRjbAsqI44.exe
              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3SoEfz9cn0E25HPRjbAsqI44.exe" --version
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1584
            • C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe
              "C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4532 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240421011531" --session-guid=1152f253-113c-4dbe-b34e-22fbf4058f21 --server-tracking-blob="ODQ0YzRlOGVjZjA0NjQwYWE5NzZmNzEyZjgzZWRmM2I0YzY2ZjNkMTdhNjI3YWExMjAzMzVjOGIxNGJlMDg3YTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjYyMDYzLjA4MzkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNjk4YWJiMGMtMjY5NS00ZjFlLWJlNzAtYjdjN2U4NTMzNTBlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A405000000000000
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Enumerates connected drives
              PID:980
              • C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe
                C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b8,0x2b4,0x2bc,0x284,0x2c0,0x6e42e1d0,0x6e42e1dc,0x6e42e1e8
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1288
            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
              4⤵
              • Executes dropped EXE
              PID:1672
            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\assistant_installer.exe
              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\assistant_installer.exe" --version
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2400
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\assistant_installer.exe
                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x1016038,0x1016044,0x1016050
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:3116
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          2⤵
            PID:3456
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4720 -ip 4720
          1⤵
            PID:4832
          • C:\Windows\System32\Conhost.exe
            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            1⤵
              PID:3744
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
              1⤵
                PID:3732
              • C:\Windows\windefender.exe
                C:\Windows\windefender.exe
                1⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                PID:2124

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Scheduled Task/Job

              1
              T1053

              Persistence

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Privilege Escalation

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Defense Evasion

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Impair Defenses

              4
              T1562

              Disable or Modify Tools

              3
              T1562.001

              Disable or Modify System Firewall

              1
              T1562.004

              Modify Registry

              6
              T1112

              Subvert Trust Controls

              1
              T1553

              Install Root Certificate

              1
              T1553.004

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Query Registry

              4
              T1012

              System Information Discovery

              5
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                1d7f3d1036cc09d2b9c5d8d5acfbb867

                SHA1

                5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85

                SHA256

                0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c

                SHA512

                dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                21KB

                MD5

                c618d281c0df2754a4944d2d67548f19

                SHA1

                7fd675cb6168d318e8ddf35a0336070073b66027

                SHA256

                37214749d004c634e62b13fed9d15d2970be47f35db9f495f1ba446f1b0c1b6a

                SHA512

                18573e79ef4fb47736b652799907a955f413cf2ed2f6b8c1b2ffd7f0cd62c1376f09e35e5177f553b7b6ee8e1a2206737543a0e11796aab31b9716a5699ef175

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\additional_file0.tmp
                Filesize

                2.5MB

                MD5

                15d8c8f36cef095a67d156969ecdb896

                SHA1

                a1435deb5866cd341c09e56b65cdda33620fcc95

                SHA256

                1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

                SHA512

                d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\assistant_installer.exe
                Filesize

                1.9MB

                MD5

                976bc8e5fe65f9bb56831e20f1747150

                SHA1

                f9e7f5628aaaabed9939ef055540e24590a9ccfb

                SHA256

                f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0

                SHA512

                2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\dbgcore.dll
                Filesize

                166KB

                MD5

                9ebb919b96f6f94e1be4cdc6913ef629

                SHA1

                31e99ac4fba516f82b36bd81784e8d518b32f9df

                SHA256

                fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119

                SHA512

                a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\assistant\dbghelp.dll
                Filesize

                1.7MB

                MD5

                544255258f9d45b4608ccfd27a4ed1dd

                SHA1

                571e30ceb9c977817b5bbac306366ae59f773497

                SHA256

                3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68

                SHA512

                2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210115311\opera_package
                Filesize

                103.8MB

                MD5

                5014156e9ffbb75d1a8d5fc09fabdc42

                SHA1

                6968d1b5cec3039e53bbbedeee22e2d43d94c771

                SHA256

                7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802

                SHA512

                bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404210115314954532.dll
                Filesize

                4.6MB

                MD5

                0415cb7be0361a74a039d5f31e72fa65

                SHA1

                46ae154436c8c059ee75cbc6a18ccda96bb2021d

                SHA256

                bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

                SHA512

                f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytdk45yh.wni.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\u3e4.0.exe
                Filesize

                301KB

                MD5

                5d835a5d56e1b106a3928a3f96f28c0a

                SHA1

                76637a8a47e97b2eca53f849e0e95fc1a5683fa5

                SHA256

                a676e2601f65bd27a7d0c7cc2cf9452ef9880a544c01d75692c2c211699b58fd

                SHA512

                c5b2a3ce8afd27f6a95b29874643eb4dfd7da56550b2451fe16705865c10af6ddc3bb7c94aec5840ed4b1a5d8df630719128dbf1169b2e5c7e0e2e7998a9c6d5

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
                Filesize

                40B

                MD5

                f32590796e7910e806d9aaee0470240d

                SHA1

                fb4dea4ea3be89141df8c64e1ecc130bd46f93cd

                SHA256

                151c029b78bd112be74a25d63ca520ee0aa34f2df88390f34d52ece8b11d2345

                SHA512

                20a1c25a0c1a0ec4f3b527b2bff141f221d59e23cbd5a3cc3fb24c2e36b1fe1fcbaca4965a9c3b3077dc39542ad2caa0e8004fac86d647635078bea081894e1f

                Download Submit
              • C:\Users\Admin\Pictures\3SoEfz9cn0E25HPRjbAsqI44.exe
                Filesize

                5.1MB

                MD5

                a0ce477043e18abd06f5766bdea12808

                SHA1

                2d4490e5fbacf96d23ae7a04c6ac1f237013f4dd

                SHA256

                3733a9d4aad70f0a8464d8096d6103f1aadf35320dd46c6a8e9c1e6bd8ed2ed9

                SHA512

                26a0fc1a3f3222505a03774d57668e922784b9125fdac68ff1f073cbd4408a5f578a4396a8105ada4dd46ce47d0d5e128153ff5f56df926bd4ae608222a7d4d3

                Download Submit
              • C:\Users\Admin\Pictures\5TNHvZSkZLk8VtwM0lC3LFLU.exe
                Filesize

                444KB

                MD5

                e1de6a02960c3a776fe4cdbe821efe9b

                SHA1

                17da2036ac1d394138c7ad09735b7657968a4ef0

                SHA256

                d5ca5f35b6d80412d3cdad4115a23a464f524bf72d6b811ace5e658075c87232

                SHA512

                6f6b7d63f41afb8d471b9305116f9b1648454a7ee6d1401997102c4638d6a6037f3eb578f5b5ca11b9f6e87f9a236be55d1f617df5f67b39e3618d48a014e59a

                Download Submit
              • C:\Users\Admin\Pictures\9CIPnlnOVq9rkGP8bo0zO7sF.exe
                Filesize

                7KB

                MD5

                5b423612b36cde7f2745455c5dd82577

                SHA1

                0187c7c80743b44e9e0c193e993294e3b969cc3d

                SHA256

                e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                SHA512

                c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                Download Submit
              • C:\Users\Admin\Pictures\KUtA0iRzg925CZuDgGEAq0cv.exe
                Filesize

                4.2MB

                MD5

                12c1251ddacc8c6651573aaae2a36711

                SHA1

                aa4a4fc95f24a847f33a0fcc22d318fe947929d0

                SHA256

                a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22

                SHA512

                e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69

                Download Submit
              • C:\Users\Admin\Pictures\pAVeI18RsCEAuLRXNxUXFGEq.exe
                Filesize

                5.5MB

                MD5

                9f8b8a866575e821310f6203c5bdc044

                SHA1

                f39bbd5eb2f736acdf565d6b56e560a60334dd0e

                SHA256

                277677de19193a2297c88689312d1a294edf4f81b3ff4ba8202e2cbb9c6fbeea

                SHA512

                b8222b6c8ec092ccc352676d4bf8c90a4ecb558a8346ab2628a41071d0747e87cc0c805c5c4efaf922a5e7ff18ad78bfa59a9180670df881085f6fab3b67f209

                Download Submit
              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                3d086a433708053f9bf9523e1d87a4e8

                SHA1

                b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                SHA256

                6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                SHA512

                931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                Download Submit
              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                53c0dcab1f314951daabb431106b40d5

                SHA1

                67f2247dea01fc7315ee3c8d03bef7ce60781cf2

                SHA256

                c7ab4e1e2cfacf0e434d9c4ec39949c3c24582b80ae277faa93f46e25673f936

                SHA512

                fb197fdfd2ebbb33ea40ee09888bb652634144125fc0b959aa5ec1b8308160678d4029a2a5a1843b5f54535b1696b0e3b098cddf1c4e5a1a1c9a3e1fc58b5f1f

                Download Submit
              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                5d7bf4a0d45e092ad5732957dcf46bd3

                SHA1

                987ca5358de51f4a9611d4a424353fa210313606

                SHA256

                15356c597c7fa2fcee7d8c4aaa1ba3f365767b65a3b34323cde80a3c6a2396bb

                SHA512

                25758a0d27b30ae036efda3c4b47acaf51f9087661e32d105bd3eff1860af3e1373ac5367411f68f54a4f12d64fb24371018b5f764e27ed59d9c808c21cd45ff

                Download Submit
              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                2a4228450cc47c04683ef99e82661069

                SHA1

                f8b8d7ec573d9632e0ebb734dbcbed5cce85faa0

                SHA256

                54cdb84a28ca44c6c9df22715915a22d92357fc680567224308db97b6f465bdc

                SHA512

                bcd1087271cf9b9f835f39a43704114f0069d2c7da993a9c3c2002af4e960f4988c2b3d1764c510916f30af17ef252e25cbc40e55081a01418b4a9371d36fd8f

                Download Submit
              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                15e8c157083680c7d9ccb690fba1b5db

                SHA1

                8f5396da801f54cff41923009c1a7ea0fa85f5f8

                SHA256

                cbd46395b41f75e189208df7c838448cf7c4ee81e4befaa44f1051ce19f670a1

                SHA512

                50a3fcb27d57ba3d7957c52d2946561d9307e0057816582ed9b6872fc10f732044746ecaa27f5f36e78fd98071590fb71b5c10b0be86e9615e9c034f65e03fa9

                Download Submit
              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                ea0ac8f9f8b7426a2d44bdc7f028b5ee

                SHA1

                86b9a401cdc5a7a45317208519bbe1cc51d2096c

                SHA256

                430ba00790071730382da5548dead575b07e4cc9f7cb36cf96ea8bd71b4146cf

                SHA512

                8eacee8a4affc89c6dc34ffe3e67422be8c2b32877cdcbfd2da3bf681858ad68b6ba85920c4bb03bf540c9ce02b1696769ac8a488ee2ead2c2abbcaf18aab2bf

                Download Submit
              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit
              • memory/1084-22-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1084-17-0x0000028DE6AB0000-0x0000028DE6AC0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1084-16-0x0000028DE6AB0000-0x0000028DE6AC0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1084-15-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1084-5-0x0000028DE6A70000-0x0000028DE6A92000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1416-284-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/1416-146-0x0000000003A60000-0x0000000003E63000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/1416-147-0x0000000003E70000-0x000000000475B000-memory.dmp
                Filesize

                8.9MB

                Download
              • memory/1416-158-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/1416-375-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/1440-438-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/1440-379-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2124-520-0x0000000000400000-0x00000000008DF000-memory.dmp
                Filesize

                4.9MB

                Download
              • memory/2124-583-0x0000000000400000-0x00000000008DF000-memory.dmp
                Filesize

                4.9MB

                Download
              • memory/2296-652-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-512-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-655-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-500-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-581-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-519-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-649-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-646-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-643-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-576-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2296-507-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/2336-294-0x00007FF6E0B10000-0x00007FF6E124A000-memory.dmp
                Filesize

                7.2MB

                Download
              • memory/3032-212-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/3032-132-0x0000000003A40000-0x0000000003E39000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/3032-137-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/3080-18-0x0000000074620000-0x0000000074DD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3080-86-0x0000000074620000-0x0000000074DD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3080-19-0x0000000005450000-0x0000000005460000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3080-107-0x0000000005450000-0x0000000005460000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3080-4-0x0000000000400000-0x0000000000408000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3212-69-0x0000000005600000-0x0000000005954000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/3212-63-0x0000000004CD0000-0x0000000004D36000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3212-52-0x00000000020D0000-0x0000000002106000-memory.dmp
                Filesize

                216KB

                Download
              • memory/3212-53-0x0000000074620000-0x0000000074DD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3212-54-0x0000000004720000-0x0000000004730000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3212-55-0x0000000004720000-0x0000000004730000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3212-136-0x0000000074620000-0x0000000074DD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3212-56-0x0000000004D60000-0x0000000005388000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/3212-57-0x0000000004B30000-0x0000000004B52000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3212-127-0x0000000007170000-0x0000000007178000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3212-121-0x0000000007180000-0x000000000719A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/3212-64-0x0000000005390000-0x00000000053F6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3212-84-0x00000000059F0000-0x0000000005A0E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/3212-85-0x0000000005A30000-0x0000000005A7C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/3212-115-0x0000000007130000-0x0000000007144000-memory.dmp
                Filesize

                80KB

                Download
              • memory/3212-90-0x0000000005F80000-0x0000000005FC4000-memory.dmp
                Filesize

                272KB

                Download
              • memory/3212-114-0x0000000007110000-0x000000000711E000-memory.dmp
                Filesize

                56KB

                Download
              • memory/3212-91-0x0000000006D30000-0x0000000006DA6000-memory.dmp
                Filesize

                472KB

                Download
              • memory/3212-113-0x00000000070D0000-0x00000000070E1000-memory.dmp
                Filesize

                68KB

                Download
              • memory/3212-112-0x00000000071D0000-0x0000000007266000-memory.dmp
                Filesize

                600KB

                Download
              • memory/3212-111-0x00000000070C0000-0x00000000070CA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/3212-110-0x0000000004720000-0x0000000004730000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3212-109-0x0000000006FD0000-0x0000000007073000-memory.dmp
                Filesize

                652KB

                Download
              • memory/3212-108-0x0000000006FB0000-0x0000000006FCE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/3212-97-0x000000006F380000-0x000000006F6D4000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/3212-96-0x000000006F330000-0x000000006F37C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/3212-95-0x0000000006F70000-0x0000000006FA2000-memory.dmp
                Filesize

                200KB

                Download
              • memory/3212-94-0x000000007F320000-0x000000007F330000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3212-93-0x0000000006DB0000-0x0000000006DCA000-memory.dmp
                Filesize

                104KB

                Download
              • memory/3212-92-0x0000000007430000-0x0000000007AAA000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/3732-140-0x0000000074620000-0x0000000074DD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3732-141-0x00000000030F0000-0x0000000003100000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3732-143-0x00000000030F0000-0x0000000003100000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3732-160-0x0000000006CF0000-0x0000000006D3C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/3732-157-0x0000000006270000-0x00000000065C4000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/3744-162-0x0000000074620000-0x0000000074DD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/4164-517-0x0000000000400000-0x00000000008DF000-memory.dmp
                Filesize

                4.9MB

                Download
              • memory/4248-3-0x000001E352830000-0x000001E35288E000-memory.dmp
                Filesize

                376KB

                Download
              • memory/4248-2-0x000001E350EE0000-0x000001E350EF0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4248-26-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4248-0-0x000001E350AF0000-0x000001E350AFE000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4248-1-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4396-87-0x0000000001C30000-0x0000000001D30000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/4396-161-0x0000000001C30000-0x0000000001D30000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/4396-88-0x0000000001BA0000-0x0000000001C0E000-memory.dmp
                Filesize

                440KB

                Download
              • memory/4396-89-0x0000000000400000-0x0000000001A3A000-memory.dmp
                Filesize

                22.2MB

                Download
              • memory/4396-204-0x0000000000400000-0x0000000001A3A000-memory.dmp
                Filesize

                22.2MB

                Download
              • memory/4720-244-0x0000000000400000-0x0000000001A16000-memory.dmp
                Filesize

                22.1MB

                Download
              • memory/5008-133-0x0000000003D20000-0x000000000411A000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/5008-49-0x0000000003D20000-0x000000000411A000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/5008-50-0x0000000004120000-0x0000000004A0B000-memory.dmp
                Filesize

                8.9MB

                Download
              • memory/5008-51-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/5008-145-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download
              • memory/5008-138-0x0000000000400000-0x0000000001DF9000-memory.dmp
                Filesize

                26.0MB

                Download