Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    3.3MB

  • MD5

    09bd16d82a747ef0621aa367c0e14a9c

  • SHA1

    da57e4b192b7cb50b6e71b48d5f233d2a6b5a4f1

  • SHA256

    b79b3ab665881eadd15b67b9b105db7d99eb091905350a53c6bbc7b91a42cd48

  • SHA512

    7365b17d9ec7264941b88d61e69ea1214ef44b9b8bff9ebc8227794b696142050f267635cdb4e588ba121259b2f2a07519df8053f143db58ebc1a048d08b49a1

  • SSDEEP

    49152:9UIbNigeVE2MD7ZDAgUftcgFEptOkf8Ug:jI3bg5W

Score
10/10
gluptebastealcdiscoverydropperevasionloaderpersistencerootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\Pictures\UICTY6XdFzHkEkcLPbzfmXp3.exe
        "C:\Users\Admin\Pictures\UICTY6XdFzHkEkcLPbzfmXp3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
        • C:\Users\Admin\Pictures\UICTY6XdFzHkEkcLPbzfmXp3.exe
          "C:\Users\Admin\Pictures\UICTY6XdFzHkEkcLPbzfmXp3.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4016
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              6⤵
              • Modifies Windows Firewall
              PID:2556
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4848
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4116
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4336
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2664
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              6⤵
              • Creates scheduled task(s)
              PID:4044
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              6⤵
                PID:2900
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4092
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  7⤵
                    PID:4608
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  6⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1236
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3972
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:4556
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2044
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    7⤵
                      PID:1200
                      • C:\Windows\SysWOW64\sc.exe
                        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                        8⤵
                        • Launches sc.exe
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4856
            • C:\Users\Admin\Pictures\oH93hO477Ln8YT1h2rj9THeR.exe
              "C:\Users\Admin\Pictures\oH93hO477Ln8YT1h2rj9THeR.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2924
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 2480
                  5⤵
                  • Program crash
                  PID:3340
              • C:\Users\Admin\Pictures\oH93hO477Ln8YT1h2rj9THeR.exe
                "C:\Users\Admin\Pictures\oH93hO477Ln8YT1h2rj9THeR.exe"
                4⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks for VirtualBox DLLs, possible anti-VM trick
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4420
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  5⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3688
                • C:\Windows\system32\cmd.exe
                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:404
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    6⤵
                    • Modifies Windows Firewall
                    PID:1464
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  5⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2032
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  5⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4608
            • C:\Users\Admin\Pictures\SVuhZcqoCkyjaZNXeP8EAlVx.exe
              "C:\Users\Admin\Pictures\SVuhZcqoCkyjaZNXeP8EAlVx.exe"
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3212
              • C:\Users\Admin\AppData\Local\Temp\u2h8.0.exe
                "C:\Users\Admin\AppData\Local\Temp\u2h8.0.exe"
                4⤵
                • Executes dropped EXE
                PID:4412
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1016
                  5⤵
                  • Program crash
                  PID:4884
              • C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
                "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
                4⤵
                • Executes dropped EXE
                PID:1788
                • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
                  C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:3080
                  • C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
                    C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    PID:1472
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\SysWOW64\cmd.exe
                      7⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: MapViewOfSection
                      PID:5056
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        8⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1788
            • C:\Users\Admin\Pictures\IyEc0DKHgStVM8HS1OfW8HLX.exe
              "C:\Users\Admin\Pictures\IyEc0DKHgStVM8HS1OfW8HLX.exe"
              3⤵
              • Modifies firewall policy service
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Drops file in System32 directory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4740
            • C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe
              "C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe" --silent --allusers=0
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Enumerates connected drives
              • Modifies system certificate store
              PID:2864
              • C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe
                C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x288,0x2ac,0x2b0,0x280,0x2b4,0x6f50e1d0,0x6f50e1dc,0x6f50e1e8
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1944
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YijrmedmSk4L6ZaYNHz6KZ0y.exe
                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YijrmedmSk4L6ZaYNHz6KZ0y.exe" --version
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:5108
              • C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe
                "C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2864 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240421124115" --session-guid=ee642306-8c39-4eab-9735-9edba2bc60d2 --server-tracking-blob="YjJkMzQ0NDlhMDI5MWU3YjI1YzI0OGMzMjk4ODM2ZGU2MGQ2YWI5NDNiZGY4NzhkMzU2MTBhMDkxYzIwYTc5NTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNzAzMjQxLjA0MjkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYzRkMjMzMWQtOWMxNS00ZTZiLTg4YTctNThlODMyM2Q5ODE2In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7C05000000000000
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Enumerates connected drives
                PID:2720
                • C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe
                  C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x6e25e1d0,0x6e25e1dc,0x6e25e1e8
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2664
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
                4⤵
                • Executes dropped EXE
                PID:1600
              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\assistant_installer.exe
                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\assistant_installer.exe" --version
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:4852
                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\assistant_installer.exe
                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x8f6038,0x8f6044,0x8f6050
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 2924
          1⤵
            PID:4368
          • C:\Windows\System32\wuapihost.exe
            C:\Windows\System32\wuapihost.exe -Embedding
            1⤵
              PID:3688
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4412 -ip 4412
              1⤵
                PID:3452
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                1⤵
                  PID:3376
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                  1⤵
                    PID:3224
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    PID:2472

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Scheduled Task/Job

                  1
                  T1053

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  2
                  T1543

                  Windows Service

                  2
                  T1543.003

                  Scheduled Task/Job

                  1
                  T1053

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  2
                  T1543

                  Windows Service

                  2
                  T1543.003

                  Scheduled Task/Job

                  1
                  T1053

                  Defense Evasion

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify System Firewall

                  1
                  T1562.004

                  Modify Registry

                  3
                  T1112

                  Subvert Trust Controls

                  1
                  T1553

                  Install Root Certificate

                  1
                  T1553.004

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Credential Access

                  Unsecured Credentials

                  1
                  T1552

                  Credentials In Files

                  1
                  T1552.001

                  Discovery

                  Peripheral Device Discovery

                  1
                  T1120

                  Query Registry

                  6
                  T1012

                  System Information Discovery

                  6
                  T1082

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Command and Control

                  Web Service

                  1
                  T1102

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\additional_file0.tmp
                    Filesize

                    2.5MB

                    MD5

                    15d8c8f36cef095a67d156969ecdb896

                    SHA1

                    a1435deb5866cd341c09e56b65cdda33620fcc95

                    SHA256

                    1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

                    SHA512

                    d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\assistant_installer.exe
                    Filesize

                    1.9MB

                    MD5

                    976bc8e5fe65f9bb56831e20f1747150

                    SHA1

                    f9e7f5628aaaabed9939ef055540e24590a9ccfb

                    SHA256

                    f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0

                    SHA512

                    2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\dbgcore.dll
                    Filesize

                    166KB

                    MD5

                    9ebb919b96f6f94e1be4cdc6913ef629

                    SHA1

                    31e99ac4fba516f82b36bd81784e8d518b32f9df

                    SHA256

                    fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119

                    SHA512

                    a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\assistant\dbghelp.dll
                    Filesize

                    1.7MB

                    MD5

                    544255258f9d45b4608ccfd27a4ed1dd

                    SHA1

                    571e30ceb9c977817b5bbac306366ae59f773497

                    SHA256

                    3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68

                    SHA512

                    2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404211241151\opera_package
                    Filesize

                    103.8MB

                    MD5

                    5014156e9ffbb75d1a8d5fc09fabdc42

                    SHA1

                    6968d1b5cec3039e53bbbedeee22e2d43d94c771

                    SHA256

                    7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802

                    SHA512

                    bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404211241152632864.dll
                    Filesize

                    4.6MB

                    MD5

                    0415cb7be0361a74a039d5f31e72fa65

                    SHA1

                    46ae154436c8c059ee75cbc6a18ccda96bb2021d

                    SHA256

                    bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

                    SHA512

                    f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
                    Filesize

                    7.6MB

                    MD5

                    862bf3003dca41d88ac49a6846149623

                    SHA1

                    b34f1d42dd0649d6b83f9a92124a554f48df0434

                    SHA256

                    50c10789db130a98c63e6e7f6e23b1c89b38c5ea4678f1e06fd1796fba25c75c

                    SHA512

                    fe5ab7888633dbfecca57ecd1732360796c2f19c62fc4282e2a92e9b8b440cc01e25b7a0c6a608cf9c2e9c9e3c49a8509a08851afcaef7e1afc21c0abcc2c969

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\WCLDll.dll
                    Filesize

                    590KB

                    MD5

                    63206e3b4f1fa4dcfbe1f2cc5d0c4e9d

                    SHA1

                    fe731b2e9c296d9ecc75ed96c2d29fe46c7cd924

                    SHA256

                    8f5b8645b5e5ea48acc411b21a1b3cd56d2660ac931989b9f064c8ff82039885

                    SHA512

                    32bdcce9e8e7f1ebe50e114f65f762391d52f482a112515ccb16b09653b93873528ea1a7473a2512075bf8f729997a65f455bf6599482e997b85e06a2f87f3d6

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\cosmetician.mpeg
                    Filesize

                    79KB

                    MD5

                    8e1bbc6d6c4d207393b59853f73945ae

                    SHA1

                    b66d632eae41267175bf5332d43a785dd929d79f

                    SHA256

                    b04725aaa99b27e04c02bec7d98fb4511331ea53761272325fff9c27a679e279

                    SHA512

                    1b45a7be00f54498df289641745ca6ee99e11d63100fb838b96c2d9412f8b5f0ea5aa8b964f32a4f9182cd599765f5ca08b91e8e8eecd06d1c53543284a59001

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\msvcp140.dll
                    Filesize

                    427KB

                    MD5

                    71a0aa2d05e9174cefd568347bd9c70f

                    SHA1

                    cb9247a0fa59e47f72df7d1752424b33a903bbb2

                    SHA256

                    fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

                    SHA512

                    6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
                    Filesize

                    938KB

                    MD5

                    b15bac961f62448c872e1dc6d3931016

                    SHA1

                    1dcb61babb08fe5db711e379cb67335357a5db82

                    SHA256

                    bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5

                    SHA512

                    932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\quersprung.vhd
                    Filesize

                    1.3MB

                    MD5

                    3bee67dd0e04559c8fdc7761336dee47

                    SHA1

                    027ef9dca01fb928db79e57b418130165f06ed5f

                    SHA256

                    57745aba2885cf8bf770e7e9195697c05e35333417ca23af153367bf31cbf812

                    SHA512

                    35fb66f98a57b0d14c3044a91abac3e0670d516edfd691d6670df034e8454c550d3d2e702ab90cd32b70fcba8aeb2e02b7b3a07b6a340a932738968473f77dce

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\vcruntime140.dll
                    Filesize

                    81KB

                    MD5

                    16b26bc43943531d7d7e379632ed4e63

                    SHA1

                    565287de39649e59e653a3612478c2186096d70a

                    SHA256

                    346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

                    SHA512

                    b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0eryx2r.ewj.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    Filesize

                    281KB

                    MD5

                    d98e33b66343e7c96158444127a117f6

                    SHA1

                    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                    SHA256

                    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                    SHA512

                    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\de973c0
                    Filesize

                    3.8MB

                    MD5

                    13418f74a7ce25cdd6997c9fcb718a0e

                    SHA1

                    f4c880821fee72c37c882b1e8ebf100efcafe31c

                    SHA256

                    a890935a36903669f35522c85c75e296404a4595453f060398cb64c5b0d6dfd0

                    SHA512

                    59017162877bbbdf823450a946e3e54e9130d8ebbf5baba24471c68a10d1fad3452be08c693cd7a78d0bf2fcfd6d3086edeec1a379f9b53fd66bb246c128d4c1

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\u2h8.0.exe
                    Filesize

                    281KB

                    MD5

                    c5318e9c9f65897b3056660265c36606

                    SHA1

                    1c21d52fc5e89a209dea7d0926e129ab4e7c047e

                    SHA256

                    9d2aea90748a97565e0056764ab94e0c8ca44d2008b5f22a3285983b6a8f1e41

                    SHA512

                    d8b61ae8790c8ec299069a1aa3172c45951b49d864ab317f3743367fcdd7068825ef9a866124225464d4b1f8831a0eba8168014cddfe29feb85d20360224ed92

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
                    Filesize

                    40B

                    MD5

                    b081c2f4dd03628d8c55560b683c2f43

                    SHA1

                    c0a3d5bf0fbb08256dbd9732f57e332500707734

                    SHA256

                    0a2a839fa5e1f4b77cd227192e4117e1cd55bc34dbbd0304c7e11289b6457cc4

                    SHA512

                    0f802d6ddec3bdab92ac4aeb18ccbd3c2a787595dc4495284bfc44129bf3f7142fc071d6b02fefdee4f0d52259390e3aeb9cef9eb8796862b297137200b79907

                    Download Submit
                  • C:\Users\Admin\Pictures\Gbay3tYWlrlCdeCohmFCJ5xg.exe
                    Filesize

                    7KB

                    MD5

                    5b423612b36cde7f2745455c5dd82577

                    SHA1

                    0187c7c80743b44e9e0c193e993294e3b969cc3d

                    SHA256

                    e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                    SHA512

                    c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                    Download Submit
                  • C:\Users\Admin\Pictures\IyEc0DKHgStVM8HS1OfW8HLX.exe
                    Filesize

                    3.9MB

                    MD5

                    ffee05ea98b1d51026a44fad0841a8a9

                    SHA1

                    50a703329c7b9812c17a02b554cf406040079fec

                    SHA256

                    4cb040696b9ffb14794955b0e56eed04fde0cae3a5ee748dd513ad42c411c823

                    SHA512

                    626ddc18a906b74a231daa5bcc092a90708e0e3d42e4db645d59d19de7ef38a2d91a843f11dbc7873d379bfa14e87c5fc6d09a657e0b44abd24b9991cb971f86

                    Download Submit
                  • C:\Users\Admin\Pictures\SVuhZcqoCkyjaZNXeP8EAlVx.exe
                    Filesize

                    425KB

                    MD5

                    09eb90cae8ed15b4122a57034baf54c1

                    SHA1

                    b435f528d2b4678f7d62d200b2e5bde46a9b6272

                    SHA256

                    697a4d8670f9330d5aa6be0662390681851bb957bf1da3f5ec52b94ec647dbca

                    SHA512

                    ce186a4067f785dcd8c3487070611a5aa10936d106dfddc75a2a5e63def0143f7a5a66c3e946637aee708c4ae57ce547faf29b1dc7d3f8409178f1800dfa1130

                    Download Submit
                  • C:\Users\Admin\Pictures\UICTY6XdFzHkEkcLPbzfmXp3.exe
                    Filesize

                    4.1MB

                    MD5

                    782bd8a27c54fc9c58ea40e8a3e8f03c

                    SHA1

                    2b500d25ce1260d21ac710665a63f4ba3f239272

                    SHA256

                    9c3a3426921d1425ffae5e2da871be86df71a75413f63a0b07a07f29c6267d57

                    SHA512

                    972e24980c5d571e75ebe49f5779d9950d9afebc1e301746c6b16115139abf2893c8135b04c358284b30c1ca31872d1f542d41a5ccc794256f0e2b0641c272ed

                    Download Submit
                  • C:\Users\Admin\Pictures\YijrmedmSk4L6ZaYNHz6KZ0y.exe
                    Filesize

                    5.1MB

                    MD5

                    9fcd4ab09e9bc1be8b2f650f2c433ee8

                    SHA1

                    bda8ea70218012f5489e8eb7b9a44eebcb7edae6

                    SHA256

                    5244d42dd7f5cbfdf6b87bdec03f5fcfd3c1a8ba02981065aaa2b4b6ab8cb7a0

                    SHA512

                    340ef9c1d59065adeff6804f7a1c926530153953b676686f66549c6a5aaa4a68a9dc25d4e67fbab003e5af98b852fbc09d0b34a57cee99614b0146ec910d68f8

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    3d086a433708053f9bf9523e1d87a4e8

                    SHA1

                    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                    SHA256

                    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                    SHA512

                    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    07c2f8bb8397c7a92a6ceef6937cc4d8

                    SHA1

                    4a8011ef4982b1a1f2739f328faa189a06d59b4f

                    SHA256

                    71013befe321446301d0c540e8275da502192c812d5482e0be961d4abec89d82

                    SHA512

                    8a24c9782000ac1e59990a634d721028e49daf70a0c89ea4883d0d1ea94bd6a59d58d96e16c5d2d8203bed247940d32b025ac2cb4bc325222a5efaa578064b4f

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    2c59ae6574ea633ef1dcb4bcb950b598

                    SHA1

                    46cf225217520a075289036ee0704acb1e225a79

                    SHA256

                    a042731e7fcbce8acc4088195494e7602979b667b67dddf90c89178846abf3a5

                    SHA512

                    6c9ed12d66f4ddbceec9f0ca2f78c250dc5b33fc0cddf3ae74e7f4114c1cd97dcfedfdd31b3433cf7766e8d3de1fa1fa41aba581178de6d3dc56616367b4f58c

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    1d49f1355f379b8dfbd116928ebfe0b6

                    SHA1

                    d6304c6de8ba0cc4f20b26b3108fdc9cc52686ba

                    SHA256

                    f05102c85bf95370a11eb7c386ca0896784af9d56986dac81dd3c02dcb6eb50d

                    SHA512

                    3ec83147290b86074e65e14f3d29e352ac55f4de8c8db30a72a97a90036c0371ff43b51209b9613425580325654a645db7222185f2fb66206de2fc612722a525

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    0bb757f52a992536c27eee149446c018

                    SHA1

                    94d919315c9b604c33283fdfccb4e75c7f6cc1cc

                    SHA256

                    ed0c1b37a29bfd542d531a97d8f6ebbb57f9fc4dc8554d843709bc391207af70

                    SHA512

                    ea5897b09a3b28387e22be8705e950c30d6ab4b7fee0269d6bec7a6283030caec6ee0833bbce1dcc3d2467e49d48448385f6d0290c571f45b7d83d8c443781b5

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    2eb19d427ec0e8858133f6e0c0f6bf53

                    SHA1

                    c4aeb19783185045dac2fc7dc14ec8ea12890d40

                    SHA256

                    3429672915e32a5683f28b9961ee8ab3101ad4213fe5953f2961e07fa655c6e9

                    SHA512

                    c7aac287bd5f4ac22346e582cbdce00c9153c7d38057e0acf15f154c8e0665460f4d22d3b5907305b5cd51f383a9033ca296f302917975507e64e6bea776081e

                    Download Submit
                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                    Filesize

                    19KB

                    MD5

                    7e1c2250c3fe140dabc3ef4fad61de06

                    SHA1

                    a48516491149117dc70f93dc9858f5d258e4031a

                    SHA256

                    024bb048ac35bce209475ec9dbb3a113e2c45fc82b950a9f6cd538b4e8ee92c1

                    SHA512

                    b1f04cba624fa0de2c9b39bcd2cf8453592b99d313d604ecca886ca60024d961f3865df2eb4471f4f39cb8fc7a987aa1282ea51fcaed65476bde03a05090fe24

                    Download Submit
                  • C:\Windows\System32\GroupPolicy\gpt.ini
                    Filesize

                    127B

                    MD5

                    8ef9853d1881c5fe4d681bfb31282a01

                    SHA1

                    a05609065520e4b4e553784c566430ad9736f19f

                    SHA256

                    9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                    SHA512

                    5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                    Download Submit
                  • C:\Windows\windefender.exe
                    Filesize

                    2.0MB

                    MD5

                    8e67f58837092385dcf01e8a2b4f5783

                    SHA1

                    012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                    SHA256

                    166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                    SHA512

                    40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                    Download Submit
                  • memory/1472-695-0x000000006D500000-0x000000006D67B000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1472-696-0x00007FFEE9FD0000-0x00007FFEEA1C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/1472-703-0x000000006D500000-0x000000006D67B000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1516-148-0x0000000004020000-0x000000000490B000-memory.dmp
                    Filesize

                    8.9MB

                    Download
                  • memory/1516-152-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/1516-31-0x0000000003C20000-0x0000000004019000-memory.dmp
                    Filesize

                    4.0MB

                    Download
                  • memory/1516-39-0x0000000004020000-0x000000000490B000-memory.dmp
                    Filesize

                    8.9MB

                    Download
                  • memory/1516-44-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/1788-701-0x0000000000400000-0x0000000000BEB000-memory.dmp
                    Filesize

                    7.9MB

                    Download
                  • memory/1788-700-0x000000006D500000-0x000000006D67B000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1788-658-0x00007FFEE9FD0000-0x00007FFEEA1C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/1788-651-0x0000000000400000-0x0000000000BEB000-memory.dmp
                    Filesize

                    7.9MB

                    Download
                  • memory/1788-657-0x000000006D500000-0x000000006D67B000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1788-660-0x000000006D500000-0x000000006D67B000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1864-45-0x0000000003FF0000-0x00000000048DB000-memory.dmp
                    Filesize

                    8.9MB

                    Download
                  • memory/1864-46-0x0000000003BE0000-0x0000000003FE7000-memory.dmp
                    Filesize

                    4.0MB

                    Download
                  • memory/1864-47-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/1864-146-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/2044-549-0x0000000000400000-0x00000000008DF000-memory.dmp
                    Filesize

                    4.9MB

                    Download
                  • memory/2204-147-0x0000000003A40000-0x0000000003E42000-memory.dmp
                    Filesize

                    4.0MB

                    Download
                  • memory/2204-353-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/2204-385-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/2204-149-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/2472-637-0x0000000000400000-0x00000000008DF000-memory.dmp
                    Filesize

                    4.9MB

                    Download
                  • memory/2472-564-0x0000000000400000-0x00000000008DF000-memory.dmp
                    Filesize

                    4.9MB

                    Download
                  • memory/2832-108-0x000000006F360000-0x000000006F6B4000-memory.dmp
                    Filesize

                    3.3MB

                    Download
                  • memory/2832-132-0x0000000007ED0000-0x0000000007F66000-memory.dmp
                    Filesize

                    600KB

                    Download
                  • memory/2832-106-0x000000006F910000-0x000000006F95C000-memory.dmp
                    Filesize

                    304KB

                    Download
                  • memory/2832-98-0x0000000007A60000-0x0000000007AD6000-memory.dmp
                    Filesize

                    472KB

                    Download
                  • memory/2832-100-0x0000000008160000-0x00000000087DA000-memory.dmp
                    Filesize

                    6.5MB

                    Download
                  • memory/2832-130-0x0000000003240000-0x0000000003250000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2832-129-0x0000000007D10000-0x0000000007DB3000-memory.dmp
                    Filesize

                    652KB

                    Download
                  • memory/2832-137-0x0000000007EB0000-0x0000000007EB8000-memory.dmp
                    Filesize

                    32KB

                    Download
                  • memory/2832-107-0x000000007F080000-0x000000007F090000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2832-134-0x0000000007E70000-0x0000000007E7E000-memory.dmp
                    Filesize

                    56KB

                    Download
                  • memory/2832-135-0x0000000007E80000-0x0000000007E94000-memory.dmp
                    Filesize

                    80KB

                    Download
                  • memory/2832-136-0x0000000007F70000-0x0000000007F8A000-memory.dmp
                    Filesize

                    104KB

                    Download
                  • memory/2832-133-0x0000000007E30000-0x0000000007E41000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/2832-96-0x0000000006780000-0x00000000067CC000-memory.dmp
                    Filesize

                    304KB

                    Download
                  • memory/2832-95-0x0000000006750000-0x000000000676E000-memory.dmp
                    Filesize

                    120KB

                    Download
                  • memory/2832-140-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/2832-93-0x0000000003240000-0x0000000003250000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2832-83-0x0000000003240000-0x0000000003250000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2832-66-0x0000000005950000-0x0000000005F78000-memory.dmp
                    Filesize

                    6.2MB

                    Download
                  • memory/2832-67-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/2832-65-0x0000000003160000-0x0000000003196000-memory.dmp
                    Filesize

                    216KB

                    Download
                  • memory/2924-99-0x00000000074E0000-0x00000000074FA000-memory.dmp
                    Filesize

                    104KB

                    Download
                  • memory/2924-76-0x0000000005D20000-0x0000000005D86000-memory.dmp
                    Filesize

                    408KB

                    Download
                  • memory/2924-68-0x0000000005460000-0x0000000005482000-memory.dmp
                    Filesize

                    136KB

                    Download
                  • memory/2924-70-0x0000000005C40000-0x0000000005CA6000-memory.dmp
                    Filesize

                    408KB

                    Download
                  • memory/2924-69-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/2924-77-0x00000000029D0000-0x00000000029E0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2924-82-0x00000000029D0000-0x00000000029E0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2924-94-0x0000000005E90000-0x00000000061E4000-memory.dmp
                    Filesize

                    3.3MB

                    Download
                  • memory/2924-97-0x0000000006870000-0x00000000068B4000-memory.dmp
                    Filesize

                    272KB

                    Download
                  • memory/2924-103-0x000000007F980000-0x000000007F990000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2924-105-0x000000006F360000-0x000000006F6B4000-memory.dmp
                    Filesize

                    3.3MB

                    Download
                  • memory/2924-118-0x00000000078E0000-0x00000000078FE000-memory.dmp
                    Filesize

                    120KB

                    Download
                  • memory/2924-104-0x000000006F910000-0x000000006F95C000-memory.dmp
                    Filesize

                    304KB

                    Download
                  • memory/2924-101-0x00000000078A0000-0x00000000078D2000-memory.dmp
                    Filesize

                    200KB

                    Download
                  • memory/2924-131-0x00000000079F0000-0x00000000079FA000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/2924-141-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/3080-686-0x00007FFEE9FD0000-0x00007FFEEA1C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/3080-685-0x000000006D500000-0x000000006D67B000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/3212-256-0x0000000000400000-0x0000000001A35000-memory.dmp
                    Filesize

                    22.2MB

                    Download
                  • memory/3212-178-0x0000000001CA0000-0x0000000001DA0000-memory.dmp
                    Filesize

                    1024KB

                    Download
                  • memory/3212-62-0x0000000001CA0000-0x0000000001DA0000-memory.dmp
                    Filesize

                    1024KB

                    Download
                  • memory/3212-177-0x0000000000400000-0x0000000001A35000-memory.dmp
                    Filesize

                    22.2MB

                    Download
                  • memory/3212-442-0x0000000000400000-0x0000000001A35000-memory.dmp
                    Filesize

                    22.2MB

                    Download
                  • memory/3212-64-0x0000000000400000-0x0000000001A35000-memory.dmp
                    Filesize

                    22.2MB

                    Download
                  • memory/3212-697-0x0000000000400000-0x0000000001A35000-memory.dmp
                    Filesize

                    22.2MB

                    Download
                  • memory/3212-63-0x0000000001C20000-0x0000000001C8E000-memory.dmp
                    Filesize

                    440KB

                    Download
                  • memory/3688-162-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/3688-156-0x0000000002610000-0x0000000002620000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4016-163-0x0000000005740000-0x0000000005A94000-memory.dmp
                    Filesize

                    3.3MB

                    Download
                  • memory/4016-155-0x00000000028C0000-0x00000000028D0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4016-154-0x00000000028C0000-0x00000000028D0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4016-153-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/4216-2-0x00000000052C0000-0x00000000052D0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4216-128-0x00000000052C0000-0x00000000052D0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4216-1-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/4216-102-0x00000000746B0000-0x0000000074E60000-memory.dmp
                    Filesize

                    7.7MB

                    Download
                  • memory/4216-0-0x0000000000400000-0x0000000000408000-memory.dmp
                    Filesize

                    32KB

                    Download
                  • memory/4336-638-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4336-706-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4336-633-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4336-494-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4336-565-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4336-560-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4412-380-0x0000000000400000-0x0000000001A11000-memory.dmp
                    Filesize

                    22.1MB

                    Download
                  • memory/4420-355-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4420-406-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4420-150-0x0000000003B50000-0x0000000003F4A000-memory.dmp
                    Filesize

                    4.0MB

                    Download
                  • memory/4420-151-0x0000000000400000-0x0000000001DEE000-memory.dmp
                    Filesize

                    25.9MB

                    Download
                  • memory/4740-493-0x00007FF71FB60000-0x00007FF720669000-memory.dmp
                    Filesize

                    11.0MB

                    Download
                  • memory/4740-350-0x00007FF71FB60000-0x00007FF720669000-memory.dmp
                    Filesize

                    11.0MB

                    Download
                  • memory/4740-354-0x00007FF71FB60000-0x00007FF720669000-memory.dmp
                    Filesize

                    11.0MB

                    Download
                  • memory/4740-345-0x00007FF71FB60000-0x00007FF720669000-memory.dmp
                    Filesize

                    11.0MB

                    Download
                  • memory/4740-334-0x00007FF71FB60000-0x00007FF720669000-memory.dmp
                    Filesize

                    11.0MB

                    Download
                  • memory/4740-347-0x00007FF71FB60000-0x00007FF720669000-memory.dmp
                    Filesize

                    11.0MB

                    Download
                  • memory/5056-707-0x00007FFEE9FD0000-0x00007FFEEA1C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download