Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2024 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb4a0140d4b23f0f4d334dae72e8bd9cd865158f65f7a7ed65714723a7eeec33.exe

  • Size

    1.8MB

  • MD5

    7ce37ff1e89c1fc09e26a921b321828c

  • SHA1

    2aa177a9179e204092b4d242b0e521f1e04c1b7d

  • SHA256

    bb4a0140d4b23f0f4d334dae72e8bd9cd865158f65f7a7ed65714723a7eeec33

  • SHA512

    5ab44ae449329edbf9851c182a035f25ed0f34cdcd2165588bd8cd9d7c5cfcfdc348c7578c347e3b2cf05b6f259321c5a3e650dd85466bfa589dd1861339eab8

  • SSDEEP

    24576:z5uspSqm7d7CzPl5iB1leYK37taZGKPbeqsnUAP8SONNDmQe47A90lDdCj8ZOf1C:0l7+PCZeYm7Az7sTPnOXfZZONpF

Score
10/10
amadeydcratgluptebarhadamanthysriseprosmokeloaderstealczgratpub1backdoordiscoverydropperevasioninfostealerloaderpersistenceratrootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • DcRat 24 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect ZGRat V1 1 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Blocklisted process makes network request 8 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 55 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 18 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 48 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 16 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2236
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
          PID:6084
      • C:\Users\Admin\AppData\Local\Temp\bb4a0140d4b23f0f4d334dae72e8bd9cd865158f65f7a7ed65714723a7eeec33.exe
        "C:\Users\Admin\AppData\Local\Temp\bb4a0140d4b23f0f4d334dae72e8bd9cd865158f65f7a7ed65714723a7eeec33.exe"
        1⤵
        • DcRat
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3948
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
          2⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Users\Admin\AppData\Local\Temp\1000022001\4e8bb0e286.exe
            "C:\Users\Admin\AppData\Local\Temp\1000022001\4e8bb0e286.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            PID:4200
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4496
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
              4⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1304
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                  PID:1524
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4756
            • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
              "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
              3⤵
                PID:3380
              • C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
                "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
                3⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                PID:4964
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                3⤵
                • Blocklisted process makes network request
                • Loads dropped DLL
                PID:1184
          • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
            C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:3744
          • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
            C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:380
            • C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
              "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3680
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F
                3⤵
                • DcRat
                • Creates scheduled task(s)
                PID:3808
              • C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe
                "C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4964
                • C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
                  "C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe"
                  4⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4668
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKEBFCFIJJ.exe"
                    5⤵
                      PID:232
                      • C:\Users\Admin\AppData\Local\Temp\AKEBFCFIJJ.exe
                        "C:\Users\Admin\AppData\Local\Temp\AKEBFCFIJJ.exe"
                        6⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        PID:4628
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AKEBFCFIJJ.exe
                          7⤵
                            PID:212
                            • C:\Windows\SysWOW64\PING.EXE
                              ping 2.2.2.2 -n 1 -w 3000
                              8⤵
                              • Runs ping.exe
                              PID:2684
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 2652
                        5⤵
                        • Program crash
                        PID:7152
                    • C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe
                      "C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:3640
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                        5⤵
                          PID:5272
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 1251
                            6⤵
                              PID:5740
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                              6⤵
                              • DcRat
                              • Creates scheduled task(s)
                              PID:4028
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1660
                          4⤵
                          • Program crash
                          PID:3460
                      • C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"
                        3⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        PID:4900
                      • C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
                        3⤵
                        • Executes dropped EXE
                        PID:4732
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5956
                        • C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
                          4⤵
                          • DcRat
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Checks for VirtualBox DLLs, possible anti-VM trick
                          • Drops file in Windows directory
                          PID:6496
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -nologo -noprofile
                            5⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:6828
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                            5⤵
                              PID:5780
                              • C:\Windows\system32\netsh.exe
                                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                6⤵
                                • Modifies Windows Firewall
                                PID:6040
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              5⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              PID:5320
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              5⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              PID:6904
                            • C:\Windows\rss\csrss.exe
                              C:\Windows\rss\csrss.exe
                              5⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Manipulates WinMonFS driver.
                              • Drops file in Windows directory
                              PID:5700
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -nologo -noprofile
                                6⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                PID:2712
                              • C:\Windows\SYSTEM32\schtasks.exe
                                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                6⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:5216
                              • C:\Windows\SYSTEM32\schtasks.exe
                                schtasks /delete /tn ScheduledUpdate /f
                                6⤵
                                  PID:5708
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  6⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  PID:828
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  6⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  PID:5288
                                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                  6⤵
                                  • Executes dropped EXE
                                  PID:3580
                                • C:\Windows\SYSTEM32\schtasks.exe
                                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                  6⤵
                                  • DcRat
                                  • Creates scheduled task(s)
                                  PID:6060
                                • C:\Windows\windefender.exe
                                  "C:\Windows\windefender.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:5740
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                    7⤵
                                      PID:6256
                                      • C:\Windows\SysWOW64\sc.exe
                                        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                        8⤵
                                        • Launches sc.exe
                                        PID:5716
                          • C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe
                            "C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe"
                            2⤵
                            • DcRat
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious use of SetThreadContext
                            • Suspicious use of WriteProcessMemory
                            PID:4496
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2604
                            • C:\Windows\system32\cmd.exe
                              "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3376
                              • C:\Windows\system32\schtasks.exe
                                schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
                                4⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:436
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1020
                              • C:\Users\Admin\Pictures\NDETJa6sPxmbP4JlULJ9hFAT.exe
                                "C:\Users\Admin\Pictures\NDETJa6sPxmbP4JlULJ9hFAT.exe"
                                4⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:568
                                • C:\Users\Admin\AppData\Local\Temp\ufs.0.exe
                                  "C:\Users\Admin\AppData\Local\Temp\ufs.0.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:5260
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 1300
                                    6⤵
                                    • Program crash
                                    PID:6296
                                • C:\Users\Admin\AppData\Local\Temp\ufs.1.exe
                                  "C:\Users\Admin\AppData\Local\Temp\ufs.1.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:6064
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                                    6⤵
                                      PID:5348
                                      • C:\Windows\SysWOW64\chcp.com
                                        chcp 1251
                                        7⤵
                                          PID:5876
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                          7⤵
                                          • DcRat
                                          • Creates scheduled task(s)
                                          PID:3836
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1536
                                      5⤵
                                      • Program crash
                                      PID:6048
                                  • C:\Users\Admin\Pictures\9tffILNsblfrBiKalVXQOm4E.exe
                                    "C:\Users\Admin\Pictures\9tffILNsblfrBiKalVXQOm4E.exe"
                                    4⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    PID:2280
                                    • C:\Users\Admin\AppData\Local\Temp\u1rc.0.exe
                                      "C:\Users\Admin\AppData\Local\Temp\u1rc.0.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      PID:6004
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 1220
                                        6⤵
                                        • Program crash
                                        PID:6192
                                    • C:\Users\Admin\AppData\Local\Temp\u1rc.1.exe
                                      "C:\Users\Admin\AppData\Local\Temp\u1rc.1.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5472
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                                        6⤵
                                          PID:5452
                                          • C:\Windows\SysWOW64\chcp.com
                                            chcp 1251
                                            7⤵
                                              PID:5716
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                              7⤵
                                              • DcRat
                                              • Creates scheduled task(s)
                                              PID:5904
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1160
                                          5⤵
                                          • Program crash
                                          PID:5640
                                      • C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe
                                        "C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe"
                                        4⤵
                                        • Executes dropped EXE
                                        PID:3744
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          5⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:6012
                                        • C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe
                                          "C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe"
                                          5⤵
                                          • DcRat
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Checks for VirtualBox DLLs, possible anti-VM trick
                                          • Drops file in Windows directory
                                          PID:6488
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            6⤵
                                            • Drops file in System32 directory
                                            • Modifies data under HKEY_USERS
                                            PID:6820
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                            6⤵
                                              PID:5452
                                              • C:\Windows\system32\netsh.exe
                                                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                7⤵
                                                • Modifies Windows Firewall
                                                PID:5192
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -nologo -noprofile
                                              6⤵
                                              • Drops file in System32 directory
                                              • Modifies data under HKEY_USERS
                                              PID:6620
                                              • C:\Windows\System32\Conhost.exe
                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                7⤵
                                                  PID:5740
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -nologo -noprofile
                                                6⤵
                                                • Drops file in System32 directory
                                                • Modifies data under HKEY_USERS
                                                PID:6884
                                          • C:\Users\Admin\Pictures\eazOqh4NuQfCeody6sSmmD8y.exe
                                            "C:\Users\Admin\Pictures\eazOqh4NuQfCeody6sSmmD8y.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:3460
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              5⤵
                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                              PID:5836
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 616
                                                6⤵
                                                • Program crash
                                                PID:5772
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 612
                                                6⤵
                                                • Program crash
                                                PID:5440
                                          • C:\Users\Admin\Pictures\XTiiAa1fPkJ3xiLY8hB760oY.exe
                                            "C:\Users\Admin\Pictures\XTiiAa1fPkJ3xiLY8hB760oY.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            PID:5560
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -nologo -noprofile
                                              5⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5936
                                            • C:\Users\Admin\Pictures\XTiiAa1fPkJ3xiLY8hB760oY.exe
                                              "C:\Users\Admin\Pictures\XTiiAa1fPkJ3xiLY8hB760oY.exe"
                                              5⤵
                                              • DcRat
                                              • Executes dropped EXE
                                              • Adds Run key to start application
                                              • Checks for VirtualBox DLLs, possible anti-VM trick
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              PID:6476
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -nologo -noprofile
                                                6⤵
                                                • Drops file in System32 directory
                                                • Modifies data under HKEY_USERS
                                                PID:6800
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                6⤵
                                                  PID:5672
                                                  • C:\Windows\system32\netsh.exe
                                                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                    7⤵
                                                    • Modifies Windows Firewall
                                                    PID:5436
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -nologo -noprofile
                                                  6⤵
                                                  • Drops file in System32 directory
                                                  PID:6696
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -nologo -noprofile
                                                  6⤵
                                                  • Drops file in System32 directory
                                                  PID:6844
                                            • C:\Users\Admin\Pictures\HAxnl42jKWN9YwHZHa2OAHww.exe
                                              "C:\Users\Admin\Pictures\HAxnl42jKWN9YwHZHa2OAHww.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              PID:5592
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -nologo -noprofile
                                                5⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2740
                                              • C:\Users\Admin\Pictures\HAxnl42jKWN9YwHZHa2OAHww.exe
                                                "C:\Users\Admin\Pictures\HAxnl42jKWN9YwHZHa2OAHww.exe"
                                                5⤵
                                                • DcRat
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                • Checks for VirtualBox DLLs, possible anti-VM trick
                                                • Drops file in Windows directory
                                                PID:6528
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -nologo -noprofile
                                                  6⤵
                                                  • Drops file in System32 directory
                                                  • Modifies data under HKEY_USERS
                                                  PID:6852
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                  6⤵
                                                    PID:7116
                                                    • C:\Windows\system32\netsh.exe
                                                      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                      7⤵
                                                      • Modifies Windows Firewall
                                                      PID:1164
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -nologo -noprofile
                                                    6⤵
                                                    • Drops file in System32 directory
                                                    • Modifies data under HKEY_USERS
                                                    PID:5188
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -nologo -noprofile
                                                    6⤵
                                                    • Drops file in System32 directory
                                                    • Modifies data under HKEY_USERS
                                                    PID:4924
                                              • C:\Users\Admin\Pictures\fH6393mwgNgh1D0guCtDCA52.exe
                                                "C:\Users\Admin\Pictures\fH6393mwgNgh1D0guCtDCA52.exe"
                                                4⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Drops file in System32 directory
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                PID:5788
                                              • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                "C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe" --silent --allusers=0
                                                4⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Enumerates connected drives
                                                • Modifies system certificate store
                                                PID:5144
                                                • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                  C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2c8,0x2f8,0x6eb221f8,0x6eb22204,0x6eb22210
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:724
                                                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CYoOmU856pwWKZXiUIbstHLU.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CYoOmU856pwWKZXiUIbstHLU.exe" --version
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:5292
                                                • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                  "C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5144 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240325074516" --session-guid=de567c8c-8381-4352-b79c-a3314fbe7a72 --server-tracking-blob=MWFkY2RkOTFhZDAyMzBlZWIyZDc1OTY0OTI1NmY4Y2MxNzg5ZjNiZTRhOTJhNDZjMTgxNTA0N2M2YTk1YTY2Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTM1MjcwOC4zODEyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJhMDQ3M2ExYS04OTBiLTRiNWQtYThlMi1hN2ViMWYwODhhMjUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C05000000000000
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Enumerates connected drives
                                                  PID:5124
                                                  • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                    C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2f8,0x6e1621f8,0x6e162204,0x6e162210
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:2308
                                                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:1932
                                                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\assistant\assistant_installer.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\assistant\assistant_installer.exe" --version
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:6852
                                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\assistant\assistant_installer.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x430040,0x43004c,0x430058
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:6928
                                              • C:\Users\Admin\Pictures\PjnBLsCrGzwfVavcntySi6CQ.exe
                                                "C:\Users\Admin\Pictures\PjnBLsCrGzwfVavcntySi6CQ.exe"
                                                4⤵
                                                • Executes dropped EXE
                                                PID:5444
                                                • C:\Users\Admin\AppData\Local\Temp\7zSE639.tmp\Install.exe
                                                  .\Install.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:5552
                                                  • C:\Users\Admin\AppData\Local\Temp\7zSEA12.tmp\Install.exe
                                                    .\Install.exe /BCdnbdidxxMl "385118" /S
                                                    6⤵
                                                    • Checks BIOS information in registry
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Enumerates system info in registry
                                                    PID:6120
                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                      7⤵
                                                        PID:5524
                                                        • C:\Windows\System32\Conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          8⤵
                                                            PID:5272
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                            8⤵
                                                              PID:5296
                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                9⤵
                                                                  PID:5356
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                  9⤵
                                                                    PID:2132
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                7⤵
                                                                  PID:2208
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                    8⤵
                                                                      PID:3272
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                        9⤵
                                                                          PID:5184
                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                          9⤵
                                                                            PID:4272
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /CREATE /TN "gwQQhYUmu" /SC once /ST 05:59:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                        7⤵
                                                                        • DcRat
                                                                        • Creates scheduled task(s)
                                                                        PID:5496
                                                                        • C:\Windows\System32\Conhost.exe
                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          8⤵
                                                                            PID:2280
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gwQQhYUmu"
                                                                          7⤵
                                                                            PID:5428
                                                                            • C:\Windows\System32\Conhost.exe
                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              8⤵
                                                                                PID:5184
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              schtasks /DELETE /F /TN "gwQQhYUmu"
                                                                              7⤵
                                                                                PID:7148
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 07:46:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\OrUtnSx.exe\" id /Jcsite_idWGg 385118 /S" /V1 /F
                                                                                7⤵
                                                                                • DcRat
                                                                                • Drops file in Windows directory
                                                                                • Creates scheduled task(s)
                                                                                PID:3504
                                                                    • C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"
                                                                      2⤵
                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                      • Checks BIOS information in registry
                                                                      • Executes dropped EXE
                                                                      • Identifies Wine through registry keys
                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:5184
                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                      2⤵
                                                                      • Loads dropped DLL
                                                                      PID:6072
                                                                      • C:\Windows\system32\rundll32.exe
                                                                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                        3⤵
                                                                        • Blocklisted process makes network request
                                                                        • Loads dropped DLL
                                                                        PID:6136
                                                                        • C:\Windows\system32\netsh.exe
                                                                          netsh wlan show profiles
                                                                          4⤵
                                                                            PID:4464
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
                                                                            4⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5852
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
                                                                        2⤵
                                                                        • Blocklisted process makes network request
                                                                        • Loads dropped DLL
                                                                        PID:4688
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4964 -ip 4964
                                                                      1⤵
                                                                        PID:4680
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2280 -ip 2280
                                                                        1⤵
                                                                          PID:5552
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                          1⤵
                                                                            PID:4900
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                            1⤵
                                                                              PID:5328
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 568 -ip 568
                                                                              1⤵
                                                                                PID:2196
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5836 -ip 5836
                                                                                1⤵
                                                                                  PID:3316
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5836 -ip 5836
                                                                                  1⤵
                                                                                    PID:6016
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                    1⤵
                                                                                      PID:6288
                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                        2⤵
                                                                                          PID:5840
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                        1⤵
                                                                                          PID:7096
                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                          gpscript.exe /RefreshSystemParam
                                                                                          1⤵
                                                                                            PID:528
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77CB.bat" "
                                                                                            1⤵
                                                                                              PID:5852
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
                                                                                                2⤵
                                                                                                  PID:6316
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668
                                                                                                1⤵
                                                                                                  PID:4720
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5260 -ip 5260
                                                                                                  1⤵
                                                                                                    PID:6244
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\OrUtnSx.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\OrUtnSx.exe id /Jcsite_idWGg 385118 /S
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:4912
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                                                                      2⤵
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:3112
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                        3⤵
                                                                                                          PID:6992
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                            4⤵
                                                                                                              PID:6768
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                            3⤵
                                                                                                              PID:6720
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                              3⤵
                                                                                                                PID:5952
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                3⤵
                                                                                                                  PID:6076
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                  3⤵
                                                                                                                    PID:6772
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                    3⤵
                                                                                                                      PID:5692
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                      3⤵
                                                                                                                        PID:2872
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                        3⤵
                                                                                                                          PID:6464
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                          3⤵
                                                                                                                            PID:6284
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                            3⤵
                                                                                                                              PID:4084
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                              3⤵
                                                                                                                                PID:3280
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                3⤵
                                                                                                                                  PID:2616
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                  3⤵
                                                                                                                                    PID:6272
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                    3⤵
                                                                                                                                      PID:5688
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                      3⤵
                                                                                                                                        PID:4476
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                        3⤵
                                                                                                                                          PID:7104
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                          3⤵
                                                                                                                                            PID:6220
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                            3⤵
                                                                                                                                              PID:6596
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                              3⤵
                                                                                                                                                PID:6616
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                3⤵
                                                                                                                                                  PID:7056
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                  3⤵
                                                                                                                                                    PID:6040
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:5504
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                      3⤵
                                                                                                                                                        PID:5456
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                        3⤵
                                                                                                                                                          PID:6872
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                                                                                                          3⤵
                                                                                                                                                            PID:6536
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                                                                                            3⤵
                                                                                                                                                              PID:3052
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                                                                                              3⤵
                                                                                                                                                                PID:6980
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:6696
                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                2⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                PID:3028
                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:7116
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:7108
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:6704
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:6556
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:6560
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:6336
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:6588
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:6664
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:7156
                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:6660
                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:6156
                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:5572
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:892
                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:5720
                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:7064
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:6880
                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:5980
                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:7060
                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:2712
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:116
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:3420
                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:3352
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /CREATE /TN "gwMKBreSR" /SC once /ST 00:59:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • DcRat
                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                            PID:6388
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /run /I /tn "gwMKBreSR"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:6212
                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                              schtasks /DELETE /F /TN "gwMKBreSR"
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:6284
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 05:30:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\ZQqYSYc.exe\" Ty /yKsite_idZvb 385118 /S" /V1 /F
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • DcRat
                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:5396
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /run /I /tn "mRaseIvrfxDtBOYKW"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:2132
                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:3504
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                  PID:780
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:3744
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6004 -ip 6004
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:5204
                                                                                                                                                                                                                  • C:\Windows\windefender.exe
                                                                                                                                                                                                                    C:\Windows\windefender.exe
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                    PID:6244
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:2992
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:2152
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:6236
                                                                                                                                                                                                                        • C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\ZQqYSYc.exe
                                                                                                                                                                                                                          C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\ZQqYSYc.exe Ty /yKsite_idZvb 385118 /S
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Drops Chrome extension
                                                                                                                                                                                                                          • Drops desktop.ini file(s)
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                          PID:936
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:5296
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:5744
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:368
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:6040
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:4568
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\tQZLna.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                      • DcRat
                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                      PID:6872
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                      schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\turCmMd.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                      • DcRat
                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                      PID:5504
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                      schtasks /END /TN "eGwAoTnpAObQfPU"
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:6252
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:3544
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\BxqUtce.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                          PID:3948
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\JLTzLJm.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                          PID:5772
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\wptboXB.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                          PID:6104
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\bYFLPDi.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                          PID:4440
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 04:57:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\RajEPzgz\HQQuYEm.dll\",#1 /Dfsite_idSTG 385118" /V1 /F
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                          PID:4448
                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:6704
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                            schtasks /run /I /tn "FTXCzbcEvROqagNdd"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:7108
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:5716
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:6212
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4896
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:7012
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:2536
                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                                                                      C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\RajEPzgz\HQQuYEm.dll",#1 /Dfsite_idSTG 385118
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:6608
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\RajEPzgz\HQQuYEm.dll",#1 /Dfsite_idSTG 385118
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                          PID:3448
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                            schtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:6816
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\6558.exe
                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\6558.exe
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                          PID:5688
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\6558.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\6558.exe
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                            PID:3936
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                              icacls "C:\Users\Admin\AppData\Local\13321316-cf0e-4435-9812-5e7fd2442ecd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                              PID:6984
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\6558.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\6558.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                              PID:4508
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\6558.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\6558.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                PID:2732
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 568
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                  PID:1348
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2732 -ip 2732
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:6616
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                            PID:6488
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            PID:1548
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\8054.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\8054.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            PID:6344

                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                          Reconnaissance

                                                                                                                                                                                                                                                          Resource Development

                                                                                                                                                                                                                                                          Initial Access

                                                                                                                                                                                                                                                          Execution

                                                                                                                                                                                                                                                          Scheduled Task/Job

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1053

                                                                                                                                                                                                                                                          Persistence

                                                                                                                                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1547

                                                                                                                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1547.001

                                                                                                                                                                                                                                                          Create or Modify System Process

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1543

                                                                                                                                                                                                                                                          Windows Service

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1543.003

                                                                                                                                                                                                                                                          Scheduled Task/Job

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1053

                                                                                                                                                                                                                                                          Privilege Escalation

                                                                                                                                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1547

                                                                                                                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1547.001

                                                                                                                                                                                                                                                          Create or Modify System Process

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1543

                                                                                                                                                                                                                                                          Windows Service

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1543.003

                                                                                                                                                                                                                                                          Scheduled Task/Job

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1053

                                                                                                                                                                                                                                                          Defense Evasion

                                                                                                                                                                                                                                                          File and Directory Permissions Modification

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1222

                                                                                                                                                                                                                                                          Impair Defenses

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1562

                                                                                                                                                                                                                                                          Disable or Modify System Firewall

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1562.004

                                                                                                                                                                                                                                                          Modify Registry

                                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                                          T1112

                                                                                                                                                                                                                                                          Subvert Trust Controls

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1553

                                                                                                                                                                                                                                                          Install Root Certificate

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1553.004

                                                                                                                                                                                                                                                          Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                                          T1497

                                                                                                                                                                                                                                                          Credential Access

                                                                                                                                                                                                                                                          Unsecured Credentials

                                                                                                                                                                                                                                                          5
                                                                                                                                                                                                                                                          T1552

                                                                                                                                                                                                                                                          Credentials In Files

                                                                                                                                                                                                                                                          4
                                                                                                                                                                                                                                                          T1552.001

                                                                                                                                                                                                                                                          Credentials in Registry

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1552.002

                                                                                                                                                                                                                                                          Discovery

                                                                                                                                                                                                                                                          Peripheral Device Discovery

                                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                                          T1120

                                                                                                                                                                                                                                                          Query Registry

                                                                                                                                                                                                                                                          10
                                                                                                                                                                                                                                                          T1012

                                                                                                                                                                                                                                                          Remote System Discovery

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1018

                                                                                                                                                                                                                                                          System Information Discovery

                                                                                                                                                                                                                                                          9
                                                                                                                                                                                                                                                          T1082

                                                                                                                                                                                                                                                          Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                                          T1497

                                                                                                                                                                                                                                                          Lateral Movement

                                                                                                                                                                                                                                                          Collection

                                                                                                                                                                                                                                                          Data from Local System

                                                                                                                                                                                                                                                          5
                                                                                                                                                                                                                                                          T1005

                                                                                                                                                                                                                                                          Command and Control

                                                                                                                                                                                                                                                          Web Service

                                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                                          T1102

                                                                                                                                                                                                                                                          Exfiltration

                                                                                                                                                                                                                                                          Impact

                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1024KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            69bc30aa65dd38cdc68eaea0e84fa865

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            2a151cbfc25eaccb486ed796f87a6d4c9b469793

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            b6748f79c3f7564593f36a4a5ec3315463d6482481b1403f287720ac21466b0a

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            c460532cce80f165bf544b3c76d2f4a557898c519e1f38638eea57ceababd88511c1a16df6c8d6e4e94e3879127e488391f643fff57d12e0cd5a5a93005f4575

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\ProgramData\Are.docx
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            11KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            a33e5b189842c5867f46566bdbf7a095

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\ProgramData\mozglue.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            593KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\2rLePq5FSY7hZqaBJSPugShz.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.6MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            9119fdc161ff0fdb317d45a860266e73

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            374d373aad6b7b26973dda18baa5b2c8dd47adb9

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            b7131e87e473b81aad27a30484bd2dad18d27997d15928998451724981595f0e

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            9693a2351def3fe5dc117ec7128e451e63eef56c08d17fdf6ed50b5134771e20b08b891efa3e6e055023979e4f37f9e6c7501e2127c177413229093a3fafa53f

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            187B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            150B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            10KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            ee58d2c95bb1e8467cd1cb8ecddca733

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            ad543c33d77885628a4d2a71c1920a40bb2eda74

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            e3c1bac42000aae5e0e09dede353178cfe71496e35335dbf52c295715b281647

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            3e8dac84793cb8892a9d3bb48f1c4e2e0fdb9bb07d066b150399bbe505602c003338f79a1df7f9a89e3499ddfe82d5a8861795fbf6658b3ff7dcf7896bd63270

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            34KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            000ad97f210e4d820aea04610e33d6a4

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            afc9c5d515b73c17da0dc95941c3a869d89a7d1e

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            6d0326caaf48e57b65cba3d8be2caeca9c3469e1a84fd456b6f5f9f35de47576

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            d1b1671706ddde9a105193087d7fce0055cd3d0f976d9ed8dc5fec633279d014c9d53f05efbbe38442343634bb2a5b590aa1ba71e053a513dff2e6123ecb01d2

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            fe3aab3ae544a134b68e881b82b70169

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            151B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            bd6b60b18aee6aaeb83b35c68fb48d88

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            9b977a5fbf606d1104894e025e51ac28b56137c3

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            11KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            00fc3761b2ec5fcedff893b668a7aa5d

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            4d3798853d74e85a02b1efb78c989d506efa9e8a

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            abb0599266bc878f9a1a8fb18b873502f32f403d8e3cfe994775a1e58396070e

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            3fff6b0469f4c28205ee11190818262d86b18aeb0a9572bacb97ca42b4ccf1a80f1287bde11361f726e3fd0193556443c653bd170ba3f420596dfd1d50facd03

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            74cd4674166ac8f1bea0a81b6bb8eabc

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            0e7e9faee65e22e86a0f47664f3489c12e710d90

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            430d083ba64e6ecf668e892360b5a4a3423ff492e84f01f14aa69957de2e1e44

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            ce07207402aefa1503da21c5cc29e55f777abd5a04b2b41061c6d6a37da7ec3a2df0388c7481bf0c71e4f656cb703ca19c6ecde9cbe5ae21d2948321ee7d7391

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CYoOmU856pwWKZXiUIbstHLU.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            8d455236dc3bc52c5fa5ed8b3353402c

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            eb5a4282b8313fedc71d9470d4acbdf8151cf859

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            03fda08ec369cf756867cc3cf5cb86e0e0bf30256ed4184e5f399d08f71d4df5

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            68d9d6eec1bfb2fe3254f38c17f4493b4a8029edba634b37662e4dd5a9c9f08378931cfd4c6d316ce24bc1e39a020830a9374ad702e1f1f5953776d0e768c778

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\additional_file0.tmp
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.5MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            20d293b9bf23403179ca48086ba88867

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            dedf311108f607a387d486d812514a2defbd1b9e

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250745161\opera_package
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            15.8MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            e2c581ccea4ec60ec6382c494b3a9182

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            fa85799db7a3e4d531ae64f5ac50bdc2b66c3dc6

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            cbf5025f2784ef7a2e033485de94305c85800848bc4d0bd3239b1ff342d6c38a

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            c76bca7dfdbb56bfd17b9977be1d8db9c65969edaa930610db3b54b49774f275aa0f0e164b7c1ae89a44f00845c48cb89b6c4b01fc555f5ac6890802d20990d5

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.8MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            7ce37ff1e89c1fc09e26a921b321828c

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            2aa177a9179e204092b4d242b0e521f1e04c1b7d

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            bb4a0140d4b23f0f4d334dae72e8bd9cd865158f65f7a7ed65714723a7eeec33

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5ab44ae449329edbf9851c182a035f25ed0f34cdcd2165588bd8cd9d7c5cfcfdc348c7578c347e3b2cf05b6f259321c5a3e650dd85466bfa589dd1861339eab8

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000022001\4e8bb0e286.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.0MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            70a853de51fff863cd5f2813a0cec054

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            b85c0de47f726380a12722ef4c16c14919ac61fc

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            c184747eb3ef1bae441893f5436751f5c4e859b17c551d083dcaffd3ec5630cd

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            6112a5e988eb7a0a8e64fe3ecda97bd78a533bb68d601c62a2452b8e1c6810c0e485bfb709086fecc35907600f8a4a66d34956c19ae29d6cedc82a0950a7681b

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            413KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            d467222c3bd563cb72fa49302f80b079

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            9335e2a36abb8309d8a2075faf78d66b968b2a91

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            418KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            0099a99f5ffb3c3ae78af0084136fab3

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.4MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            cc0940c21b90ed055ddc4bf9e8657a36

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            522f6054869b772da74de0fc4e0dd52e3aa0ef8e

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            09715ad5df976dd59ef6e12ccf7dd715cd81067a3b96ee3a2e4a50a9d476b31e

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            97f83288ab044e668077d97bd214c1675c7f55cc269ddb77adea4307ab9eb0fc7f6d75ee2dc6b43c242a95f52e57b502ff8b17beaff99f3025c741f8e366190a

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            01bb789177fef26502da93a3872eb8be

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            7c9f7f771b4059127bca1aae19f0b992989ff0ed

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            15cd90736a926b67980ace0a0aa1e54c6e24017ff95b46bc4475eaa2d406c360

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            bc11f8e4e5a16150663bfb0a0d0ef2cfa40384068b55cce222ad97f9d719473528bea15ffa0959fda6eef9945b5803a3eaffed52f16397a91b6a794c0e9bd349

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.8MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            4d6c608435da1f14de06e7e76e3a2c6c

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            e45fc1d82c26c93c11d123fe7b9d8e3ff968da25

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            85bc5402d10882d7f4088a48d672a89dc446677c9e9a14ce86cca5884b6983a2

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            83959c334b170d39cfa9565e59ef1162613faabd2abc3710ca4a9f06ea85a3fd4a7d6164a5f37233e8ce77a4ec3dd68c0364e949b72d22b97dae948e6f0903e7

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            c2412d52cc868538bc13840dfa8b784b

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            bf8780d87a5cb0ad23fda7b92328423120ee54fd

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            3299bd829bd33d0e4b11df3d0a0fa1e3a4e90c077766459bc436841b77d8b092

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            ba10e7329dd71d9b35f06bc53143e85ec5551363743b0121cbfe4967227846b1466fb1653e7975b8129ebf123bccbe393c7fcc7b145c7f2138f48e3bf4bbc61f

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            443KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            eeecb2b258c39d3af4d16c2f56f5d82d

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            64c04f51dc4614e812bd41e166bdd4c540d84df9

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            60a5b8100e41afd1b8fae148a0fea360173742ca63ff383469e4facf54d03634

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            169ecebc66dbd55dc12297483fdc93b65c54de70df6d21b1b0b2bedfb079d6319dbd67f8f26da15f63a9afec4d5d0ca818aece7a1942ad0c5b9439c07fde1a2d

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            294KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            5700c54d51e14d0ce00bbbb6015baed2

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            71eb9361a9d6b35317fc8a385b748a8a6ce3bee7

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            9dddd66cf82aead6400a19e81ccd0ebc0f5e312bc5772937e1929820a1db0fb74cf1480ef3bb9e9c70aefa25ce02c8c7d9f1a17bff6eb2137d76247a61eb2b9d

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.8MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            d1380cae37236d30402a9feb7a553937

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            4dd688366370257ac7ef2686430f441a599510aa

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            4ae963f23ed4ae6d103b55c84a4278f4ccc72e86f3ba65174e54d43efc159cc1

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            440d1ab4fa4254bee8dfbb30a9406253b9ea2ae8e51bffc27f72985bdd3e3005c0ac33a36ef62cec41cc6c6d318e82f0801a79a5ff473c6cfa2a78f536c35a63

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.2MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            83d660763129729599ae9fd85e3c81f1

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            5b9aa25f01b82765ef072a950f70b2d82711af6c

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            9133155b4fce2fe229fbd19bce69c627f5e38248c5f2c26f5617ec1698ac90b0

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            65713fd4f134cd49c5363c939d11b8ca68b7ae791bf54e47b1d317b10b8fc08cb0ad828e435a50ae630becc2a81bba8c8ec15a775729adda62c5a85c9551b083

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.9MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            512c459443a024f3628c07cfd4d72915

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            52abdb1ec96ac6d7f044b08ca205344c3afe9fa2

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            7e9307de1147ca37fd8bee9b55f2b7560ec03f9b3cbcb9c8ce7ba57acb5b46a6

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            12b08a7018df57388ed1b7d3167a0b5e58718a54336854166737f6e22c8f8dda5fcc4702a61eb8b4f9c59d8e5869d1584aa4990d85028da706de83321713d876

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403250745152225144.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.6MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            4bef2086f25c5813396d07b5fdce31ec

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            89f3a0f7b5143abd610795bc2981ca5bbbc40071

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            5a63f85ed97a4f41aa7e13228c35eef1ad60984f54ed2f843191c21fe7c45a98

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            85dffa48f112024e9c644420f74c7bfff0e88b3c0e4b642f52927c5a5e46890acf8755d4f78d42badaf8512bdae2526bd9d79e61d71f99f5079fe50304ddf7a2

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Opera_installer_240325074515690724.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.3MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            569d2161e9404ff9ee6e04ea57d5d492

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            b89923023cea65443d1419ff239109fe3fb51fb9

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            2d1aeb65e1a1ebf30a122e59da22ae12b4dc2af8cd78c96f0b191968cdfce7cd

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            eb3a6f1fe3835cf3b05b9d8660336f8cf68ee991b464f9b2169d0271a0eb98ee58eaabd3e91c808e9c46def26e6e94c9c1d2680e207058e24d0b1da6ed1dc7e8

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403250745163785292.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.2MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            5e32ec53fad8f46d1dc94adacbfc95c4

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            19cb842fbfec85c9da507c81c9079fdc19af4227

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            44381570ddec0def8339c3de7780e444c6504c40df143e0bc9a446f4529d7590

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            085814a3a40e52613e80745782e45e65dfc799804c2cedbb954c6d9f039efba39aeaf75eebf9b28f7de69e17445eff1725b2176d6dbe98959ecb9692f6fc14f2

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysny2ch4.szn.ps1
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            60B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\u1rc.1.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            eeec6de42a9722eade59935376fdae88

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            d4a4682680674e9f151a2a5544795758e4d9d824

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            d8079f789a1d2d6dc9c4362243db3bf5ff9433a4dd938bef103620a7a6d34b48

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            db4d3b7d3955bae64d27333b7404f096c75121de71f902121382cccaf79dc4ed16cf04b5fdaf80f7e5d78fb3d5aeeff5a0dbacc1cf1ec79d9a31acfc05bdbeb3

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\u1rc.1.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.6MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            e21c7d13f0fa52d40a04861b68541a4d

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            05a6ed1daa9b4cc551e4471e84227aca179887c0

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            973c66020724a0f158e03b731e3d56b22698cc0f003c75bd1bba29c02e4192d8

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            de68362cc10829a9ab973afffb9a1c6e135b49964e1e422dea6432908631a9c2efe1379e802085a09f2ab9b54b047c35946eb3d7b153eb6815a51924d1624953

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            298KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            2b55ebb7ab2afae223ed5866f371a793

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            f11309be54effb39cf805e9bbdc61d25bceaa08a

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            b02a4de7b61b82fdcaf0ea96ac876ec659af6b39fe8680d7a6fdccefb0f97b70

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            d0980256a7f68b470eb792f3e7ae2e564b02b90a1c6d0acaf40b1d1a24e257a425fd64dcd1de58b09e3ebb01a53972ce041e64affe3e33af721f2789ab63ba5c

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.7MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            eee5ddcffbed16222cac0a1b4e2e466e

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            21b1e65d8350147676424196d32308ce

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            377b02f1d6667b3e58e5b3b04a50cded39fea25b

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            baa2c1bfe1694453cd0f3db5545fc383c952df0ab7c26c9b8fa9bfdd0c1984ed

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            07ab6ed6a8b7ce957c1fd36277af0602e5489dda59a164a743ad65bc116a3947fb649713db5518ff260b8303be05ad7cdb12006b70d186aa19be635500631113

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            128B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            11bb3db51f701d4e42d3287f71a6a43e

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            109KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            726cd06231883a159ec1ce28dd538699

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            404897e6a133d255ad5a9c26ac6414d7134285a2

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            15a42d3e4579da615a384c717ab2109b

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            109KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            154c3f1334dd435f562672f2664fea6b

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            51dd25e2ba98b8546de163b8f26e2972a90c2c79

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            f35b671fda2603ec30ace10946f11a90

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            059ad6b06559d4db581b1879e709f32f80850872

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            960KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            a6baa1c9883e905ef4199ffcbf123cd5

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            468f6d2991d7f61212b927c502432cfa546c4efe

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            a9b8b2919bceb31cfc1a0f6d190b7e07dcc10e14e42d19ff370e74387966c825

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            22a8eb2419f243af7fb373d81b6eaaebc93a69411c8a261295b1462af725166ce8b63fa2d02b7fd71f29f78dc0b154a6334ed6ad92f4f503fb2823c2215a520f

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\9tffILNsblfrBiKalVXQOm4E.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            443KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            569b8ea2dcd41eb39f3b3b5617fc11bd

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            7ed08d93e47d0efc722d4e3a81bbebba7029264d

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            7aab5bd17d99f326a857d9d485b7ba9db767bac179478d44b6637678564cf347

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            6fc95adeccbc0ebc9e3003521a1ea088e933b83176c088f6435c234bd2ebde190d0dd0c09615ba58595392e30988f1b7a94a59b17caf6a47cfb4d6b7811b5d2a

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\9tffILNsblfrBiKalVXQOm4E.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            37e6b812788fb89b9dc9489043adc446

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            caa0b049c682c1b127e9a6adc170403277720cd1

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            0d9e31c51b2cb0017f3981c7a3fa3fe36414ee93795a64121783f2a6b83c8707

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            d041fcdd52153c2849a22a0afed21d24a319788e9cc8dc7d2321a0ec6a45546cb2f063cf3050b7d830030ba39dd1efb8b6b6a0ffb7e972dca719e602ea423343

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            704KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            ee7c182ca831773137cd41c3b57f9b55

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            b2eba2147884727590b3b7d9eb836402131026fc

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            81bc48615041a08c33f7325295c9948ae6496863ca44770606fe21a79f8822f8

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            6d5ed8374c99f1c165511441a04714f9a8eee6e05883ffe08add297836d2b8eaffab15efab775f22eb7b2426445efb67193791cc829b0462b917035a8db8eb93

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            0a23a1f5dd2e5c2139bdaad994eaf46c

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            7bf84fbb35d23ad4ad4ea083366c79569e712734

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            1aa998ba624f6958c96bd1b4268d5189ae50ff168e2f29a69aedb705c5d7ed9d

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            1c90df24364e8b85d44e06c50e19e482bdf06d9c79ff4f2f8675d1dd00e9a13dd806296fc84271c09271452cb2d07720bc4ec45200183c4e3e0194b843b6d86a

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            23KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            c74d1f913e8749b49082d84fbf4716b6

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            0b1de23a670616edcade89fe69cc7527a9e2336d

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            3997590822dbe158f7e022fc9856b18b4d4c5a50d3c731b7e7c3f3e669dd56e3

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            f6a7e97f157456c8d824502a15e9deb7a5a1820f98952cbd261b9ff36f9c27a865b962767009f9c5e6f927113fd420333811e5a6393a1615e0de0437a98a9883

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\CYoOmU856pwWKZXiUIbstHLU.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.0MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            5a40fc1dcfb66e811f22d981629d5fb1

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            108e87da1f022d5e12a86ff81d46ddc311023c06

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            7b44a388a2e0ee0834ee79c8fb28488efc0ab27e6811ab9d1c41057983e071ea

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5a5ba18e542bf3393a37a27c6f9ccd0738def1bac4482aa220d63913b3de4a549b4660196f68c3e726f7fbe06431234d5f376ae65fbbbaca45b79f3a44ee863a

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\HAxnl42jKWN9YwHZHa2OAHww.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            c661e04e71799d046c947cb908df3118

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            8847c64c60414e0b7cb09be7b9a6c3a2eeb89d0c

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            9edbfc9575f627faaec578b2aa06f1892c153d8e20fdd11f329003adf2ca63d4

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            387e4e248050c0c94d42e6759c1bf16ce926f0e31a041b3fb47079d789089c1c6a16a356b01a8f7ae41063e31fd4262944a2cdd679816e1319e9327e15773fc7

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\HAxnl42jKWN9YwHZHa2OAHww.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            896KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            262792451ec01831e093569caefe4adf

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            b5c37734baeb3f23e05c17d871bbb6fbf48217f4

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            98de40c485a627ea7a89314d980303a6bc51958f9111ae120621fd14735a7dc5

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            08392fd14ad3fadb50985455fc6e7be40f324e39d0db8d4508917d886e1ee03682d1b7b8114b341cb2a3b822ac4ab665d521e7265eb7940bcf607499c52740a1

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\NDETJa6sPxmbP4JlULJ9hFAT.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            443KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            f7d141d114e42057de20132a6dac549f

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            13463586e0562cdc35d6434c558834a7c7a9d58f

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            b986346e08bce80e2199a271ccb3ea3602049130768b8a29d40b4a42ae22bfcb

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            0e65714eb3c03be51ff3b37c1aec7a8ad9b5a98aadad47da26661ab5389ef3c03d4ced299959092e48ed5f586762afe1aef7ed4971ed13a9ebe47c0ea8101470

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\NDETJa6sPxmbP4JlULJ9hFAT.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            128KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            2e58708eeceac4d9918bfc209892bba7

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            c95b12e3e3787470d6efee8abff5f7efe4e2d54c

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            2b43195e8bff242ccee01ddda6774dc8ca85f79456dd4098fcd968b80aad8b00

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            1a0ae2cf15e2071d38ace46679299767453cae1e310eb27e7c4bd953fa16a9ae21f3cbad71b625226d2902ff63d5b226108cbdc999844d2c165737dbd2a38a5e

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\PjnBLsCrGzwfVavcntySi6CQ.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            704KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            a437f7e204ab1af3047e4b62cfc62d0d

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            d9dbc0409ad696e082b177013ee2809d2e110b45

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            d699e7b37047e4ab40e779800b2f9cef3f8ff0edbcff7a4018db4cdffd954ee0

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            f0a4031e18a51220c2367516c3c396bda2aef885b30160c27af32cfb1e51bebdfe6d2ab30f0b9d31290bfc1821d5e5fa6e3a12479e1ee78c605205293828e8f6

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\VlyHhnNT1HJyLULhWaATUtUi.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            5b423612b36cde7f2745455c5dd82577

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.0MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            c573c73cf9374f88b5e726a576fd7218

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            aabe2adf03775822e7cc16caa1557ac4717d1f39

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            d4173bda4ae4693db91a6c9d635d937e78990717348b44cc8ae7eb8d5962c291

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            7a7a5d21560ab095be8d811e58441c9f278d03def9e0812d03a00c519613108a3b860d8f7860b56846e229f9c418853d793c5a3d99ef76917dd7075010b9403a

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            a3cb1d880a3aabcb570bb2daf03c78fc

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            91b7cbeef21ccad175e961a78eeacece805c27a2

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            55f58dbd556d6be86d74d5f2182fc8caca9cf38c40ebf2dc9cb30a88e00d26e7

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            c7c54eb4fae7da6f6ae90f8a9e494a06367882261a81a78935a8c9ba847dfe13c1d502056c1b8bd07e5c9ee5e4bb78eee854d3ebc4efbaec00ad8c8a3dfd3e3c

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\WgtdfAK8BX6kdw8MwWOFnUAu.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            4a38a5dd733bec0739d6e7df9a4e42e3

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            923e3f0f6529d7cc35c3c7b229ae59fa0c27c22e

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            f4740a56a3153701299333fd2efc7ce40a904d3039fd26084799d755ab424816

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            fe95dbe7088273152d2418322f2fbb86427fdb7471d327692248e17676e80ed1ca161ff9aac4637f1365b2015fd8e18106866f8061cca3066e05b495e77bd8c9

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\XTiiAa1fPkJ3xiLY8hB760oY.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            68affa5204b29a1e9126544a6aa28d9c

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            51a702a6190e6e80732884637398f27cf6c4c7c0

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            8904ea7d3ed114db5af32bc0d71d47c6310a3a3d73a573b146f6ccb48ec16d3e

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            ff92cccb336b8cb0f0d4435985cc3581aac356289dc7c0a2a9ee29c3747f287952b811b6be7b10f1d67260b2c3d92eac5f940d6eb9d7261de0a374b1045259b7

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\XTiiAa1fPkJ3xiLY8hB760oY.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.1MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            36728fe5fe22828863a07a4090be44c2

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            1546746a980badc44b9a5f9280517a0c337d6cce

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            fa0597eb4e57b322ec4ba3ba704ffabac8e97f55ec2e5923523705c9755ebe55

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            ffa17df5a4d03d8cb0b6870860679a82f9aa4925e905fa6e16b51de4e031652b5e22dba679489c5359790440e6da8ad2beb68db50cc7e481e02aea344b09e54b

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\daGCTnNcyzzabb5aVgrGtIkp.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            9b45aacdc1b41ba5177b93df8eafffbf

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            ebbf0ec7382c9a6799c22194732a8e4bc5acd276

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            d58def030a89c344c6aebd0aa9370b8db5c117d388410f57b1108bb0847d8543

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            f7d7d53c4f987eba2e90a29b44c3e6b9f5dd2def65d734732fed10447bab1ccfdba579214b4e59ec9bd3df1286042c96994b3f69ab36168b22d642f84a1acacf

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\eazOqh4NuQfCeody6sSmmD8y.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            522KB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            b8616322186dcdf78032a74cf3497153

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            bf1c1568d65422757cc88300df76a6740db6eab5

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            43dda2be3813b81729b3d388f546838a36ee3471da5ed266fe958e2316f1f6ea

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            7b1e4ad944960fc2aa661426f77e64ff151cd8d5860e584874da1c4f03c6d195d4ee9031c36c24a234a851176b003254d14f9334712e07babc6934cf19a7b2fb

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\fH6393mwgNgh1D0guCtDCA52.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            b1c6259153b4e7443dd50bb948258f87

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            36ffb522a913422fe4c0f7031309df6377a96e50

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            067dc9fe7d4be3ca5224ea23f283e7439dfcc79db2c94c28032683063eaccddd

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            01bf64b06b0730a1a8619deaed89e523d00cfaddfdb99f1e4d2c789f511016a0ee57df4268cde0c13f37f133e3337128f44be557206451635008ba768491ce2c

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\fH6393mwgNgh1D0guCtDCA52.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            5ddcb5e277c385e387ec6769429e623e

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            5508270799874a688eba46f4fd07680770fc4cb3

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            86383382c108e133d5e7e14bc2c176bde2634f7cdfbbbd98459e0f96d80b143b

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            80402958d4f54cc78534e145515fca73a1267c118aeb7b6f2b38f0af9a5d0f20e9636d3182496436d4b3003dee593ff3e48e17a74290c4c3c1fd1bc18b856b3f

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\fH6393mwgNgh1D0guCtDCA52.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.1MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            a702b57fd4e6ee1de55e96ac3cf1ad91

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            2a57c13434dadc0e99bf41dd9de096e5c31d70e4

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            d568bed9408a776a36b3851559df3933e06a3cf5919008d337b13f4d891e5b5c

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            461b0af132f1e74a4222659523cfb7c0a60ff63baf0b20105bf1ed145d4872c0189e5ee89f4eb59616ad5da2bbc23c77d777c08c973e87ed0a06e669d0f1e70c

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            127B

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            8ef9853d1881c5fe4d681bfb31282a01

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            a05609065520e4b4e553784c566430ad9736f19f

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\ZQqYSYc.exe
                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.7MB

                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                            54ff77343c0523f76047d103f55cafea

                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                            95b2522116a27121cb12f6186e0d2a62ec04ec82

                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                            f6b345e0bcb0c4cb9545a36ba8086f8a63263e6a25049bba0a64b1046172c16c

                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                            444453d418a69838397f5775554f92dfecf7b7ec70b026b4f5126ee99867bc540ee4ea16649e18a39aea431d65b5ed5224ce9305dfb38ceaf7cf8468d571dc8e

                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                          • memory/568-651-0x0000000000400000-0x0000000000573000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1020-240-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1020-254-0x0000000005460000-0x0000000005470000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1020-242-0x0000000072F20000-0x00000000736D0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-62-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-27-0x0000000005260000-0x0000000005261000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-29-0x0000000005240000-0x0000000005241000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-536-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-31-0x0000000005280000-0x0000000005281000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-92-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-32-0x00000000052C0000-0x00000000052C1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-28-0x00000000052A0000-0x00000000052A1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-30-0x0000000005250000-0x0000000005251000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-199-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-34-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-24-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-26-0x0000000005270000-0x0000000005271000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-33-0x00000000052B0000-0x00000000052B1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-80-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/1492-25-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2280-326-0x0000000000750000-0x0000000000850000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1024KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2280-328-0x0000000000400000-0x0000000000573000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2604-224-0x0000026B719B0000-0x0000026B719C0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2604-222-0x0000026B719B0000-0x0000026B719C0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2604-267-0x00007FFE77500000-0x00007FFE77FC1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2604-221-0x00007FFE77500000-0x00007FFE77FC1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/2604-258-0x0000026B719B0000-0x0000026B719C0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3484-412-0x0000000002A70000-0x0000000002A86000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            88KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3640-266-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3640-253-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            5.2MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-128-0x00000000049A0000-0x00000000049A1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-130-0x0000000004990000-0x0000000004991000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-131-0x00000000049E0000-0x00000000049E1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-132-0x0000000004970000-0x0000000004971000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-129-0x00000000049B0000-0x00000000049B1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-127-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-133-0x0000000004980000-0x0000000004981000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-124-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-674-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.1MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-134-0x00000000049D0000-0x00000000049D1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3744-135-0x0000000000020000-0x00000000004D5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-8-0x0000000004B50000-0x0000000004B51000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-11-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-5-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-4-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-6-0x0000000004B40000-0x0000000004B41000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-1-0x0000000077C04000-0x0000000077C06000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-7-0x0000000004B60000-0x0000000004B61000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-3-0x0000000004B80000-0x0000000004B81000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-9-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-2-0x00000000008F0000-0x0000000000DA5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-22-0x00000000008F0000-0x0000000000DA5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-10-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/3948-0-0x00000000008F0000-0x0000000000DA5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.7MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4200-122-0x0000000000730000-0x0000000000AD2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.6MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4200-322-0x0000000000730000-0x0000000000AD2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.6MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4200-53-0x0000000000730000-0x0000000000AD2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.6MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4200-65-0x0000000000730000-0x0000000000AD2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.6MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4200-668-0x0000000000730000-0x0000000000AD2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            3.6MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4668-225-0x0000000002230000-0x0000000002257000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            156KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4668-227-0x0000000000740000-0x0000000000840000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1024KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4668-445-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            972KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4668-226-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.2MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4668-587-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.2MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4732-671-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.1MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-82-0x0000020CF57E0000-0x0000020CF57F2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            72KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-72-0x0000020CF5430000-0x0000020CF5452000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            136KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-81-0x0000020CF33B0000-0x0000020CF33C0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-79-0x0000020CF33B0000-0x0000020CF33C0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-83-0x0000020CF57C0000-0x0000020CF57CA000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            40KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-89-0x00007FFE77110000-0x00007FFE77BD1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-77-0x00007FFE77110000-0x00007FFE77BD1000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4756-78-0x0000020CF33B0000-0x0000020CF33C0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4900-417-0x0000000000400000-0x0000000000AF2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            6.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4900-217-0x0000000000400000-0x0000000000AF2000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            6.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4900-214-0x0000000000C00000-0x0000000000C0B000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            44KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4900-207-0x0000000000D30000-0x0000000000E30000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1024KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4964-170-0x00000000020F0000-0x000000000215E000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            440KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4964-327-0x0000000000400000-0x0000000000573000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4964-171-0x0000000000400000-0x0000000000573000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/4964-169-0x00000000005A0000-0x00000000006A0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            1024KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5788-450-0x00007FF6BA1A0000-0x00007FF6BAB80000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5788-479-0x00007FF6BA1A0000-0x00007FF6BAB80000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5788-463-0x00007FF6BA1A0000-0x00007FF6BAB80000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5788-457-0x00007FF6BA1A0000-0x00007FF6BAB80000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5788-483-0x00007FF6BA1A0000-0x00007FF6BAB80000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5788-446-0x00007FF6BA1A0000-0x00007FF6BAB80000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5836-588-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.0MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5836-575-0x00000000039B0000-0x0000000003DB0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.0MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5836-590-0x0000000075B00000-0x0000000075D15000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5836-443-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            436KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5836-571-0x00000000039B0000-0x0000000003DB0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.0MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/5836-437-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            436KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/6084-606-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.0MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/6084-615-0x0000000075B00000-0x0000000075D15000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/6084-598-0x0000000000D70000-0x0000000000D79000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/6084-603-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            4.0MB

                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                          • memory/6120-698-0x0000000010000000-0x00000000105E5000-memory.dmp

                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                                                            Download