amadey | a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
Size

1.8MB
MD5

8196ce484e7137d2ad7be00255ddc42c
SHA1

3c15db55a651787b3e7ce168dc83b47dfda4caff
SHA256

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977
SHA512

3566c3ebdffadb02da673b5791f36d7d449e3f29c650dd73c975cf0545c7b7e629a9c6906be5ab09bef3d29deb448479396b37f96872d05d1281af3bdb2f812c
SSDEEP

49152:03/bnMUU8XZfvoXtYRBYdC/kCNBPL6VWWts/UyyXh+FzmH:0jnMU7ZXo9YsC/kCPL6Z+0Am

Score

10^/10

amadey glupteba risepro stealc xworm dropper evasion loader persistence rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

91.92.252.220:7000

41.199.23.195:7000

saveclinetsforme68465454711991.publicvm.com:7000

Mutex

bBT8anvIxhxDFmkf

Attributes

Install_directory
%AppData%
install_file
explorer.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Extracted

Family

stealc

http://185.172.128.62

Attributes

url_path
/902e53a07830e030.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm
behavioral1/memory/6072-245-0x00000000006C0000-0x00000000006D2000-memory.dmp family_xworm
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe	family_xworm
behavioral1/memory/6072-245-0x00000000006C0000-0x00000000006D2000-memory.dmp	family_xworm

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5748-637-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/5944-638-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/5748-643-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/5944-644-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/5748-731-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/5944-732-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

53a44f07a5.exeexplorta.exechrosha.exea70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exeexplorta.exeexplorta.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	53a44f07a5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorta.exeexplorta.exeamert.exeexplorta.exechrosha.exea70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe53a44f07a5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	53a44f07a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	53a44f07a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorta.exea9b4e23f92.exechrosha.exea70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explorta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a9b4e23f92.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe

Executes dropped EXE 9 IoCs

Processes:

explorta.exeexplorta.exeamert.exea9b4e23f92.exe53a44f07a5.exeexplorta.exechrosha.exefile300un.exemstc.exe

pid process

100 explorta.exe
640 explorta.exe
4248 amert.exe
3064 a9b4e23f92.exe
4088 53a44f07a5.exe
3980 explorta.exe
4788 chrosha.exe
5492 file300un.exe
6072 mstc.exe

pid	process
100	explorta.exe
640	explorta.exe
4248	amert.exe
3064	a9b4e23f92.exe
4088	53a44f07a5.exe
3980	explorta.exe
4788	chrosha.exe
5492	file300un.exe
6072	mstc.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorta.exechrosha.exea70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exeexplorta.exeexplorta.exeamert.exe53a44f07a5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	53a44f07a5.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\5LkLDp2ruqQQK1sRNAXKSXaC.exe	themida
behavioral1/memory/5548-398-0x0000000140000000-0x000000014072B000-memory.dmp	themida
behavioral1/memory/5548-640-0x0000000140000000-0x000000014072B000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a9b4e23f92.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\a9b4e23f92.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\53a44f07a5.exe = "C:\\Users\\Admin\\1000017002\\53a44f07a5.exe"	explorta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

100 pastebin.com
101 pastebin.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

97 ip-api.com
166 api.myip.com
167 api.myip.com
170 ipinfo.io
171 ipinfo.io
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000016001\a9b4e23f92.exe autoit_exe
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exeexplorta.exeexplorta.exeamert.exe53a44f07a5.exeexplorta.exechrosha.exe

pid process

4660 a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
100 explorta.exe
640 explorta.exe
4248 amert.exe
4088 53a44f07a5.exe
3980 explorta.exe
4788 chrosha.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file300un.exe

description pid process target process

PID 5492 set thread context of 5848 5492 file300un.exe installutil.exe
Drops file in Windows directory 2 IoCs

Processes:

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exeamert.exe

description ioc process

File created C:\Windows\Tasks\explorta.job a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
File created C:\Windows\Tasks\chrosha.job amert.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6696 608 WerFault.exe qeRELOeyTSRSfaRvw4VDP0bF.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1532 schtasks.exe
2784 schtasks.exe

flow	ioc
100	pastebin.com
101	pastebin.com

flow	ioc
97	ip-api.com
166	api.myip.com
167	api.myip.com
170	ipinfo.io
171	ipinfo.io

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000016001\a9b4e23f92.exe	autoit_exe

description	pid	process	target process
PID 5492 set thread context of 5848	5492	file300un.exe	installutil.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

pid	pid_target	process	target process
6696	608	WerFault.exe	qeRELOeyTSRSfaRvw4VDP0bF.exe

pid	process
1532	schtasks.exe
2784	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587613947202701"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{0B8CAF11-1A35-4C0A-82FB-8A9AE6D437CB}	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exeexplorta.exeexplorta.exeamert.exechrome.exe53a44f07a5.exeexplorta.exechrosha.exe

pid	process
4660	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
4660	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
100	explorta.exe
100	explorta.exe
640	explorta.exe
640	explorta.exe
4248	amert.exe
4248	amert.exe
1484	chrome.exe
1484	chrome.exe
4088	53a44f07a5.exe
4088	53a44f07a5.exe
3980	explorta.exe
3980	explorta.exe
4788	chrosha.exe
4788	chrosha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1484 chrome.exe
1484 chrome.exe
1484 chrome.exe
1484 chrome.exe

pid	process
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exea9b4e23f92.exechrome.exe

pid	process
4660	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

a9b4e23f92.exechrome.exe

pid	process
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
3064	a9b4e23f92.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exeexplorta.exea9b4e23f92.exechrome.exe

description	pid	process	target process
PID 4660 wrote to memory of 100	4660	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe	explorta.exe
PID 4660 wrote to memory of 100	4660	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe	explorta.exe
PID 4660 wrote to memory of 100	4660	a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe	explorta.exe
PID 100 wrote to memory of 3276	100	explorta.exe	explorta.exe
PID 100 wrote to memory of 3276	100	explorta.exe	explorta.exe
PID 100 wrote to memory of 3276	100	explorta.exe	explorta.exe
PID 100 wrote to memory of 4248	100	explorta.exe	amert.exe
PID 100 wrote to memory of 4248	100	explorta.exe	amert.exe
PID 100 wrote to memory of 4248	100	explorta.exe	amert.exe
PID 100 wrote to memory of 3064	100	explorta.exe	a9b4e23f92.exe
PID 100 wrote to memory of 3064	100	explorta.exe	a9b4e23f92.exe
PID 100 wrote to memory of 3064	100	explorta.exe	a9b4e23f92.exe
PID 3064 wrote to memory of 1484	3064	a9b4e23f92.exe	chrome.exe
PID 3064 wrote to memory of 1484	3064	a9b4e23f92.exe	chrome.exe
PID 1484 wrote to memory of 3900	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 3900	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 4440	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 3184	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 3184	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe
PID 1484 wrote to memory of 2456	1484	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe
"C:\Users\Admin\AppData\Local\Temp\a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Users\Admin\AppData\Local\Temp\1000016001\a9b4e23f92.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\a9b4e23f92.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8a1f69758,0x7ff8a1f69768,0x7ff8a1f69778
5⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:2
5⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:8
5⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1832 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:8
5⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:1
5⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:1
5⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4704 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:1
5⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4036 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:1
5⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3868 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:8
5⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:8
5⤵
- Modifies registry class
PID:5444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:8
5⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:8
5⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 --field-trial-handle=1876,i,2696179344700709829,7465801819866079003,131072 /prefetch:2
5⤵
PID:4520

C:\Users\Admin\1000017002\53a44f07a5.exe
"C:\Users\Admin\1000017002\53a44f07a5.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:5848

C:\Users\Admin\Pictures\qeRELOeyTSRSfaRvw4VDP0bF.exe
"C:\Users\Admin\Pictures\qeRELOeyTSRSfaRvw4VDP0bF.exe"
4⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\ugw.0.exe
"C:\Users\Admin\AppData\Local\Temp\ugw.0.exe"
5⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\ugw.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\ugw.2\run.exe"
5⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
6⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\ugw.3.exe
"C:\Users\Admin\AppData\Local\Temp\ugw.3.exe"
5⤵
PID:6500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1592
5⤵
- Program crash
PID:6696

C:\Users\Admin\Pictures\Tf3qZrLLuoAwPFJAAXnrbWLq.exe
"C:\Users\Admin\Pictures\Tf3qZrLLuoAwPFJAAXnrbWLq.exe"
4⤵
PID:5748

C:\Users\Admin\Pictures\7Trr1MOvViQp60asAUZhQvty.exe
"C:\Users\Admin\Pictures\7Trr1MOvViQp60asAUZhQvty.exe"
4⤵
PID:5944

C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe
"C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe" --silent --allusers=0
4⤵
PID:2772

C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe
C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6f4fe1d0,0x6f4fe1dc,0x6f4fe1e8
5⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PRjmcq3nE4pY1QRosqEjZC6k.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PRjmcq3nE4pY1QRosqEjZC6k.exe" --version
5⤵
PID:4384

C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe
"C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2772 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428070425" --session-guid=45642969-52b9-4370-971b-b2e31df6d936 --server-tracking-blob="NzYxODAwMmE4N2Q3ZWRhNjk3NmIyOTE1ZWViNWNmMjVkNzQwYjE3YzUyODZlZDQ3MGNlMGY0N2MzZWJjZDJlZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0Mjg3ODU0LjgzOTYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYThmNzI3MjMtZjYzZC00MzQ5LTkzNTItYWNlMTgyOTA5ODhhIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3405000000000000
5⤵
PID:5468

C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe
C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a8,0x2ac,0x2b0,0x278,0x2b4,0x6e94e1d0,0x6e94e1dc,0x6e94e1e8
6⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280704251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280704251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
5⤵
PID:5928

C:\Users\Admin\Pictures\5LkLDp2ruqQQK1sRNAXKSXaC.exe
"C:\Users\Admin\Pictures\5LkLDp2ruqQQK1sRNAXKSXaC.exe"
4⤵
PID:5548

C:\Users\Admin\Pictures\0sE0unWBMm4K4b6vKwuickfp.exe
"C:\Users\Admin\Pictures\0sE0unWBMm4K4b6vKwuickfp.exe"
4⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\7zSA01E.tmp\Install.exe
.\Install.exe /WkfdidVYT "385118" /S
5⤵
PID:6260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:5460

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
7⤵
PID:6844

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:2592

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
PID:2512

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
7⤵
PID:6484

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:6972

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:6992

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
7⤵
PID:7052

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:7064

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:7088

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
7⤵
PID:7136

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:5520

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:260

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
PID:5156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:6216

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:7064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 07:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSA01E.tmp\Install.exe\" Wt /kdudidWdOm 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"
2⤵
- Executes dropped EXE
PID:6072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'
3⤵
PID:5160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
3⤵
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
3⤵
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
3⤵
PID:6520

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
PID:1128

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
PID:5332

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:6796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 608 -ip 608
1⤵
PID:6540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:3
1⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6960

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000017002\53a44f07a5.exe
Filesize
2.3MB

MD5
e6f8461eb8c185f65ba1bf5a11c2e76b

SHA1
ddece89ea5b41b8cebc610911ea9e1e0df23cbdc

SHA256
08fcd79e830f0e8db766a40127e9b96b02ecfe143f2d9f155b47ed1597281c98

SHA512
774f6a02865aaba567e3dba2647d7e86a192ecfca26d86bcfc8a8f0259206afe95f6c7f4259fb3eea7d6a26ac1d233f4dba3ccd10c24832f149f993c3a83a9a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
0420900c1ad94085af3922a624b66971

SHA1
a0eec1bfb79d181a58caa48b7f3b6f0821249244

SHA256
ff8d081f314c3f4650d8f5803f0d8b4d824c6f440cbffd5e0763770934be903f

SHA512
38e14db9cae6e1bd1eb5d836b8ed520669125bd89eefb256de8770f971b112bf9d1b6f03d464aab3c4550d15b9afc8e4c7b8de1dfbc94b79b93eb6982eaaddd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
141f01488941bf206f838fffff5f6b61

SHA1
6ef06d0eafd166b7a88c8a13cb446fc8419788b0

SHA256
f799737b3f882a3f98b9e27a6ec0cf68bfd7accbcc6035a6e03cb0638b213bd4

SHA512
f016548977069d57567820a92a5f3180e6a5c90b1aba2f10d80ddc263693acb8903699f61178797c519d9726a9337f7e49a2816420d3ccd25b033b1e34d251aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
3a260a260174666e6cf658a96f43b5fb

SHA1
529abfcbfbef5fcbc63a3117802042acbd74013e

SHA256
e3f5162b9a4e309fdd5c5d3c648479faea47bc2df76dff07ecdeebe75a51284c

SHA512
2a722fa6e7758998bbac05e4ee8ae4dbb24f5f53f259646868cbfd551c5a12e79aaaac1f66935c42d937f93e03cf6e4b597eecbb9688db18a69f60b274396fc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
148KB

MD5
fb5ff3e8dea1b79b972c441bc637cd02

SHA1
8428d93dc5b8a53e7d971eae9c34adcca963a33b

SHA256
7e27505decfacae0bd680a6910b60f4b997bcee1777fe12eeaf34909a0bf847b

SHA512
a2ee2d880c6bb790a453fe4b5514e74fb7adbacac722ac75299653f0cc180f23e067e4515f70bcd00cad9f891121e3290d4a0d0b8083143792e74d2efdbb23b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
c937fbef92174dbee9f19d18c13da268

SHA1
d74d7d57669fad491217da7e73c0e3bc2ae8fc73

SHA256
50f2bb750ac5bcda006824e1ea4cf22c4aa6370ddad8d6ab0b4d8adad4ebfc21

SHA512
4b28becdfb0f9406fb595164b42793c50a21082acb0a119af258241c291d9a2723a417d54100c6160a2669e368d76f172a0ba633e21314821ee1b2caef3302b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
891f2029a2890b6b282ef5db67c8b4c3

SHA1
2d5341b42d1d302122098eb0c59ba63b500c3ea4

SHA256
2fc41e065ee13d0c6a7681b2629c10f66dc9a134627751a6379e74bb8a8b2eeb

SHA512
29d4e51ac9d2271ab97bff5f968bce83d71b33cff235186795b273c5974f3f08ce4460f020a2b2e27f6a607bcd98b22ae2c22dc1c54584ced6705b34a0be07d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
5cd4db074cecc2eac038e2e41e2645a6

SHA1
28339ac4af39bd11575ad872438124da8d4f3b72

SHA256
295a79af305200fa1e35d1ceded9c2ab75036819f07d84046590cea9c711e863

SHA512
2704165531576fd261098cc124b46b847779ee4e31eadac2fe30072d49b92ddf0a37dedfaed251d5560f62379494065a8969ce8f3056b522e6b5c0b92747057a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
e808e5014926e4d1b99bf2a911bec279

SHA1
0bb4d6354241b44faca7c937f2ef769d47f320b7

SHA256
37396a9b21af966b7099716f7520c27e9026ed94899fe8df8b38b7b72f33a9f9

SHA512
598d77ee48bc42af41709df3c40aea5c4c77aa68778b6e6c41a23a3bbe11d56ada4a49c729c412bb3f15420db61768f7ca4f075ae53c0a1b76e1fae1e1de4154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
148be0f4c0f14bc3b91468a321ce1223

SHA1
ebb0451fcd4b8ddb64e7f6f472061f6350cbcc60

SHA256
ac7eb65a8f86f84d5e91c6a0e3d5107a9c366ca58806db78e8b76dadb9ee10f0

SHA512
ba9eadd78def813a846de72a3867ebedc7ffd3fe2a0c9861dce706bdb2be10e4710cdfdc9ca19bdcdcc392bf13eed359ae1857b513e8de773cb7cb09436aac3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
50eca09eee8ac91a8dc1f12017b06aa6

SHA1
a774440474b7dadce4f23956fda18f6a9fb8d759

SHA256
9d64fbdd494971612cb468abe93e837701352f2fdd3b650d94765ea73510152e

SHA512
7216af19fce48fa92430eca6f713516b9281361b87d58bd535287d8aba091848dc1d46c48ca32406fd892b0d26b8eeb2b8321ad3eee790ea72211d420ebaa9ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a52dd4dea89c008b5ebc40321ce10782

SHA1
690efdfb31dad5fcd9f703e4ce4486776a082381

SHA256
ee11a925860806c7ba8f6cba5b6e5942ce74b023efc0ed627fa47ad21c0b9630

SHA512
d56559c0f825c7b86ccd97f7b2bab48254ea8f6f7af6d92b301c13ee4ab25e0838e397496e691824237020360c27420a57dfb44f8693d9bdd6e6db19f0edba1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
265KB

MD5
8188c76c409e171394c8b613f0c68175

SHA1
34aeff4f06cdb90e1ce2c7d7f284e54ce9863e44

SHA256
b97a81b30f4fa0c5fd4bb82960e622d990d3f664cbf7836172b9f94eda82e23b

SHA512
28c632e6438acfbb7cf668b8ad2bd517eec07585e71a8d9e0923b9592348ceb24f70c54d6a2b441008e7c623c119b6f0cc1db359bd53d8c6cb38122dbd8ba754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280704251\additional_file0.tmp
Filesize
1.7MB

MD5
83ae2c7577aa968db01cb9fd9f1ddd44

SHA1
b62a3b74cfdeae4965a168f7f4ab04e53052b76d

SHA256
b8c0a01dbf6daa5d01c3942eca0fba9c225c5e3aaacbbdb47f0b30918ddf9605

SHA512
0306e0ba9248a72f3dd547c5bcecdb271f11e370e4a50e045fe93c488a64da454fadd040a1807e2f659479169c7ec4e57071460a48c4f265819e1f90f7805560

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280704251\opera_package
Filesize
4.7MB

MD5
256969cbdd9939a4813cbc7fa9b86228

SHA1
485bc5400e84b4ec423609559a3f35e4f641d525

SHA256
8c59227adffd4c4cc7b8e8b232ade3aff823b9ebb71d5317096a8e4b453ec54a

SHA512
48a3752b3bbb75cefd9ff220c711519130590b4cc851667f790242a481d0bfe993068348c52b5035b19cef296530ec0121aefc66943046709c74282ecf91f422

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
Filesize
1.9MB

MD5
0e007067234be3bc281e4e48e6429670

SHA1
fd5273480e0c75916ea0f80cd9a7f8140991dfff

SHA256
b1f147ef5fbdda670b5d98188bf085838598897cb5b09d316000071995bb185f

SHA512
fe93c1f3e37533a5d9f7fbecef2503e1725a239248b42c15e6cafcf9113fe93709baf7526ccba61d7313bc4d8fd8c739033085a720bc62bb10f5980edd9b8103

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\a9b4e23f92.exe
Filesize
1.1MB

MD5
b77f031b52a81996342d44bfecf8fdc9

SHA1
7c37e6c975ce5921cbfd1eef83dfda47f334b078

SHA256
f1057fb9a8d3bf224161fa1903b8c6f90872a3539de3778ea3a952984bcce4a2

SHA512
ed2c7700725da763c6e1c2ae584fde814b77489fc4ca7a8d8089563de203532c92a66e59d9b6cc397d92353cb86b53e7c7729002ba1aa556fe06e1b30c6a8ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
Filesize
381KB

MD5
cb1fa9b5d0509372c8299742a9a36228

SHA1
bb8e5a0206f8909afbf5b32a1493e686e596c040

SHA256
d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45

SHA512
61c74cab5d8928b9cfb53ddc8ba4b0528ba6cddf72b8ae7a866a5c77f27079d3cc2752ab0d533635701c94e2de49c92d600a1d74f734268d535cb53750696826

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
Filesize
50KB

MD5
17eefbaaa30123fa3091add80026aed4

SHA1
8e43d736ea03bd33de5434bda5e20aae121cd218

SHA256
b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5

SHA512
e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Filesize
1.8MB

MD5
8196ce484e7137d2ad7be00255ddc42c

SHA1
3c15db55a651787b3e7ce168dc83b47dfda4caff

SHA256
a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977

SHA512
3566c3ebdffadb02da673b5791f36d7d449e3f29c650dd73c975cf0545c7b7e629a9c6906be5ab09bef3d29deb448479396b37f96872d05d1281af3bdb2f812c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404280704198852772.dll
Filesize
4.6MB

MD5
45fe60d943ad11601067bc2840cc01be

SHA1
911d70a6aad7c10b52789c0312c5528556a2d609

SHA256
0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add

SHA512
30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4t5iayu.4dn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugw.0.exe
Filesize
311KB

MD5
d8f0480ffd9a82c2532b6be3fbee1a76

SHA1
c72dc3cab1dc67c8039e7acabef9776fb244d74a

SHA256
76b73bd1533ce48cd2cf55316e62b3869e920992c4d7673339f9c5eefa7d922a

SHA512
13daf8bf9853043ad1913f45b634ac4d7b59d9320101e5b30ce9407ec1ca15fa1a990e67409cf9d3aeab10107a6e8ead6e79f55fee718a844a38556817c92116

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugw.1.zip
Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugw.2\relay.dll
Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugw.2\run.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugw.2\whale.dbf
Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugw.3.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
40b5b8885df870d8f055bea49887f8e7

SHA1
06b801cd86a85f20283853c5a5134a407aa460f6

SHA256
0443dbcce528bb356d57069e6af227e27c5522c944e35f072a7d860dc52a8389

SHA512
0104e80725cf57e83e9d99a8327cae50f345531a39879d97f2ac074645559a5c28d0bf9c72ae7d91fe425fedc3af09dd06017f357c87ae3334425a37455eb9fe

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\Pictures\0sE0unWBMm4K4b6vKwuickfp.exe
Filesize
6.3MB

MD5
a63018cc078f57c640ac2ec8ed84dead

SHA1
1f5c17894a755114527e92304f4a74195c48031d

SHA256
41d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558

SHA512
a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864

Download Submit
C:\Users\Admin\Pictures\5LkLDp2ruqQQK1sRNAXKSXaC.exe
Filesize
5.5MB

MD5
28d853922cf07f58ea8f4a81492120ae

SHA1
e957c503b201179bc7901256bf37ff292705e805

SHA256
e62b73e7f0b73dcdcf303dcd3f587a54a684d0ab4c0dd1e90b3a8b39502a9a38

SHA512
35f108ecb6d6c5c328c006303fabba0b44622cc86b5e8b4ea74579e26d3222cd591620674f64d89415c8521a379f6ad7298d63243fdb21671e24796195b2b03a

Download Submit
C:\Users\Admin\Pictures\PRjmcq3nE4pY1QRosqEjZC6k.exe
Filesize
5.1MB

MD5
ec7bcf9f5aa99b91285a3a25128e9158

SHA1
e348ba78ac813957cd21de5c7fdcd8e3f0029f05

SHA256
faf258036c3042149738b218e84352215b8ca5892f78cf16e0f9b31827769252

SHA512
3680f4b7c16f76aac0be647e44dca68e2fdea7e92514cd38635261cd415d16363d2e9efb3cce72d578a7ee505ab7c1aeffdac9eb34bec121c1db6a5bc142c8e6

Download Submit
C:\Users\Admin\Pictures\Tf3qZrLLuoAwPFJAAXnrbWLq.exe
Filesize
4.2MB

MD5
93d6b0ac7b5a6f52f42de208d3e1f94f

SHA1
fb2c7e05f10cc470bdfe963199f044971323a4f5

SHA256
9d406ab6a332a3089457fa7ec493e3b1722a9ac81584215423335fdb391391ae

SHA512
f042c5463ad02fd927d147f6430182659585b48b8cba0498d1823b58abf6c48ab496333abbcdc2dc878a05a9d238679436ede31ff44fc1295367ea37884bd1b1

Download Submit
C:\Users\Admin\Pictures\mObM3gb3LqtaXN8ZNR8hczKx.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\qeRELOeyTSRSfaRvw4VDP0bF.exe
Filesize
456KB

MD5
81fd624d5955fe64fb4aaf78d83dcacf

SHA1
296d5a7a5a2da67c5c8bcc2d821ba2549ef8ab26

SHA256
126d672929e69bcb66fd6cf50c6402ff1a100cf6640da4aff9f51511f9518c78

SHA512
81bf0a1730c645ba6baf007adef34994506d81138485544c1a128e263ef1d562d55548f12d81ffea997522fc226fc74ea4005c185fa99da2bc65fef994b1c6a4

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\??\pipe\crashpad_1484_MWBKTJJVBTWNIPAO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-26-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/100-175-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-736-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-28-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/100-31-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/100-178-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-30-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/100-29-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/100-32-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/100-27-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/100-24-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-164-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-189-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-162-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-87-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-728-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-136-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-234-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-641-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-633-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/100-366-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/608-635-0x0000000000400000-0x0000000001A3D000-memory.dmp

Filesize
22.2MB

Download
memory/640-34-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/640-39-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/640-37-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/640-40-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/640-42-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/640-41-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/640-52-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/640-38-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1780-630-0x000000006DAB0000-0x000000006DC2B000-memory.dmp

Filesize
1.5MB

Download
memory/1780-560-0x000000006DAB0000-0x000000006DC2B000-memory.dmp

Filesize
1.5MB

Download
memory/1780-575-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/3980-196-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/3980-194-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/4088-247-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-729-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-634-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-113-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-368-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-190-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-188-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-163-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-177-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-176-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4088-167-0x00000000007F0000-0x0000000000DCA000-memory.dmp

Filesize
5.9MB

Download
memory/4248-60-0x0000000000C60000-0x0000000001139000-memory.dmp

Filesize
4.8MB

Download
memory/4248-85-0x0000000000C60000-0x0000000001139000-memory.dmp

Filesize
4.8MB

Download
memory/4660-9-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4660-1-0x00000000779E4000-0x00000000779E6000-memory.dmp

Filesize
8KB

Download
memory/4660-23-0x0000000000250000-0x0000000000719000-memory.dmp

Filesize
4.8MB

Download
memory/4660-12-0x0000000000250000-0x0000000000719000-memory.dmp

Filesize
4.8MB

Download
memory/4660-25-0x0000000000250000-0x0000000000719000-memory.dmp

Filesize
4.8MB

Download
memory/4660-10-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/4660-6-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4660-7-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4660-5-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4660-4-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4660-0-0x0000000000250000-0x0000000000719000-memory.dmp

Filesize
4.8MB

Download
memory/4660-8-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4660-2-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4660-3-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4788-375-0x0000000001000000-0x00000000014D9000-memory.dmp

Filesize
4.8MB

Download
memory/4788-248-0x0000000001000000-0x00000000014D9000-memory.dmp

Filesize
4.8MB

Download
memory/4788-636-0x0000000001000000-0x00000000014D9000-memory.dmp

Filesize
4.8MB

Download
memory/4788-730-0x0000000001000000-0x00000000014D9000-memory.dmp

Filesize
4.8MB

Download
memory/4788-195-0x0000000001000000-0x00000000014D9000-memory.dmp

Filesize
4.8MB

Download
memory/5160-258-0x000001F898720000-0x000001F898742000-memory.dmp

Filesize
136KB

Download
memory/5176-639-0x0000000000400000-0x0000000001A19000-memory.dmp

Filesize
22.1MB

Download
memory/5176-648-0x0000000000400000-0x0000000001A19000-memory.dmp

Filesize
22.1MB

Download
memory/5176-733-0x0000000000400000-0x0000000001A19000-memory.dmp

Filesize
22.1MB

Download
memory/5176-518-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5492-216-0x00000170CD310000-0x00000170CD31A000-memory.dmp

Filesize
40KB

Download
memory/5492-224-0x00000170CD6D0000-0x00000170CD72C000-memory.dmp

Filesize
368KB

Download
memory/5548-640-0x0000000140000000-0x000000014072B000-memory.dmp

Filesize
7.2MB

Download
memory/5548-398-0x0000000140000000-0x000000014072B000-memory.dmp

Filesize
7.2MB

Download
memory/5748-643-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/5748-731-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/5748-637-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/5848-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5944-732-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/5944-638-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/5944-644-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/6072-245-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/6216-672-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/6216-708-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/6216-805-0x00000000076C0000-0x0000000007C64000-memory.dmp

Filesize
5.6MB

Download
memory/6216-673-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/6216-671-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/6216-669-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/6216-668-0x0000000004AD0000-0x0000000004B06000-memory.dmp

Filesize
216KB

Download
memory/6216-801-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/6216-804-0x00000000065F0000-0x0000000006612000-memory.dmp

Filesize
136KB

Download
memory/6216-709-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/6216-674-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/6216-803-0x0000000006500000-0x000000000651A000-memory.dmp

Filesize
104KB

Download
memory/6260-650-0x0000000000560000-0x0000000000BD4000-memory.dmp

Filesize
6.5MB

Download
memory/6260-692-0x0000000010000000-0x00000000105E1000-memory.dmp

Filesize
5.9MB

Download
memory/6500-735-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/6660-657-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/6796-685-0x0000018221750000-0x000001822175A000-memory.dmp

Filesize
40KB

Download
memory/6796-684-0x0000018221AC0000-0x0000018221AD2000-memory.dmp

Filesize
72KB

Download
memory/6960-775-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download
memory/6960-748-0x0000000000650000-0x0000000000B19000-memory.dmp

Filesize
4.8MB

Download