Analysis

  • max time kernel
    22s
  • max time network
    127s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-03-2024 12:58

General

  • Target

    ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe

  • Size

    395KB

  • MD5

    47ca0c7940583630b294c30a8e1960b2

  • SHA1

    50978f49401da7fbbc8b9b4706262e5bcb6afd51

  • SHA256

    ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae

  • SHA512

    dcade30e9f8564a6291a68669b683d3be6bc71a62389004efb7424ab2231c9b92f17d2939c7e56eb6634b76305ed5e7b10f2f6de9341953c47adbd6bccfea8e9

  • SSDEEP

    12288:Vmz6kx6tp09A/b07Un67M8RW9FjSUzkvO9Vj:VG6kxy6S/b0Ingg9954G9V

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 14 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Drops startup file 8 IoCs
  • Executes dropped EXE 7 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe
    "C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:348
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe
        "C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe"
        3⤵
        • Blocklisted process makes network request
        • Executes dropped EXE
        PID:2812
        • C:\Users\Admin\AppData\Local\Temp\u264.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u264.0.exe"
          4⤵
            PID:4640
          • C:\Users\Admin\AppData\Local\Temp\u264.1.exe
            "C:\Users\Admin\AppData\Local\Temp\u264.1.exe"
            4⤵
              PID:2808
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                5⤵
                  PID:4140
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 1251
                    6⤵
                      PID:4704
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                      6⤵
                      • Creates scheduled task(s)
                      PID:1176
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1164
                  4⤵
                  • Program crash
                  PID:2356
              • C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe
                "C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe"
                3⤵
                • Executes dropped EXE
                PID:4060
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:4984
                  • C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe
                    "C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe"
                    4⤵
                      PID:3668
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        5⤵
                          PID:3456
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                          5⤵
                            PID:5196
                            • C:\Windows\system32\netsh.exe
                              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                              6⤵
                              • Modifies Windows Firewall
                              PID:5248
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -nologo -noprofile
                            5⤵
                              PID:5508
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              5⤵
                                PID:5188
                          • C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe
                            "C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1860
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              4⤵
                                PID:4444
                              • C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe
                                "C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe"
                                4⤵
                                  PID:3516
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -nologo -noprofile
                                    5⤵
                                      PID:2708
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                      5⤵
                                        PID:5376
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                          6⤵
                                          • Modifies Windows Firewall
                                          PID:5428
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        5⤵
                                          PID:5776
                                    • C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe
                                      "C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe"
                                      3⤵
                                      • Executes dropped EXE
                                      PID:872
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        4⤵
                                          PID:2208
                                        • C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe
                                          "C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe"
                                          4⤵
                                            PID:3340
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -nologo -noprofile
                                              5⤵
                                                PID:4848
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                5⤵
                                                  PID:5284
                                                  • C:\Windows\system32\netsh.exe
                                                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                    6⤵
                                                    • Modifies Windows Firewall
                                                    PID:5352
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -nologo -noprofile
                                                  5⤵
                                                    PID:5452
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -nologo -noprofile
                                                    5⤵
                                                      PID:1792
                                                • C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe
                                                  "C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2028
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    4⤵
                                                      PID:3308
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 532
                                                        5⤵
                                                        • Program crash
                                                        PID:2100
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 528
                                                        5⤵
                                                        • Program crash
                                                        PID:2824
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 880
                                                      4⤵
                                                      • Program crash
                                                      PID:1176
                                                  • C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
                                                    "C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe" --silent --allusers=0
                                                    3⤵
                                                    • Executes dropped EXE
                                                    PID:3100
                                                    • C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
                                                      C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6f06e1a8,0x6f06e1b4,0x6f06e1c0
                                                      4⤵
                                                        PID:1996
                                                      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2FDG3Uz2HcN4eMaRazINv0Mm.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2FDG3Uz2HcN4eMaRazINv0Mm.exe" --version
                                                        4⤵
                                                          PID:4752
                                                        • C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
                                                          "C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3100 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328125913" --session-guid=aa38fcb3-440d-493d-9258-305a99486b8a --server-tracking-blob=MjBjYzA0NGVlNTM4MmU4YzkwNzY0NjZhYjU4MmU5NWRlYjNiYjFlNmQyNDhkYTlhNjkyZjI2NTg5ZmU4ZGEwYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzA3NDEuNzYyNiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImVmMGJhZDJlLWU3YjMtNDVjMC1hMzA2LTlmNWQ4YWQ0NWZiZCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
                                                          4⤵
                                                            PID:760
                                                            • C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
                                                              C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6de7e1a8,0x6de7e1b4,0x6de7e1c0
                                                              5⤵
                                                                PID:4516
                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                                                              4⤵
                                                                PID:668
                                                              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe" --version
                                                                4⤵
                                                                  PID:2356
                                                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xd20040,0xd2004c,0xd20058
                                                                    5⤵
                                                                      PID:2340
                                                                • C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe
                                                                  "C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  PID:2780
                                                                • C:\Users\Admin\Pictures\Zs7JzICiQb8rN1LWDoq1oFuC.exe
                                                                  "C:\Users\Admin\Pictures\Zs7JzICiQb8rN1LWDoq1oFuC.exe"
                                                                  3⤵
                                                                    PID:4228
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD590.tmp\Install.exe
                                                                      .\Install.exe
                                                                      4⤵
                                                                        PID:2080
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSEF80.tmp\Install.exe
                                                                          .\Install.exe /WZFcdidyRl "385118" /S
                                                                          5⤵
                                                                            PID:596
                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                              6⤵
                                                                                PID:4856
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                  7⤵
                                                                                    PID:3740
                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                      8⤵
                                                                                        PID:4636
                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                                        8⤵
                                                                                          PID:4628
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                      6⤵
                                                                                        PID:2108
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                          7⤵
                                                                                            PID:420
                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                              8⤵
                                                                                                PID:1940
                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                8⤵
                                                                                                  PID:3280
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks /CREATE /TN "gVRejLxWp" /SC once /ST 10:32:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                              6⤵
                                                                                              • Creates scheduled task(s)
                                                                                              PID:3340
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks /run /I /tn "gVRejLxWp"
                                                                                              6⤵
                                                                                                PID:2812
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                schtasks /DELETE /F /TN "gVRejLxWp"
                                                                                                6⤵
                                                                                                  PID:1964
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\VeJLpCR.exe\" id /OOsite_idEEn 385118 /S" /V1 /F
                                                                                                  6⤵
                                                                                                  • Creates scheduled task(s)
                                                                                                  PID:4560
                                                                                          • C:\Users\Admin\Pictures\NR6gaELRwoSWDVryNisRji2u.exe
                                                                                            "C:\Users\Admin\Pictures\NR6gaELRwoSWDVryNisRji2u.exe"
                                                                                            3⤵
                                                                                              PID:4692
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSF1B3.tmp\Install.exe
                                                                                                .\Install.exe
                                                                                                4⤵
                                                                                                  PID:1992
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSFA3E.tmp\Install.exe
                                                                                                    .\Install.exe /WZFcdidyRl "385118" /S
                                                                                                    5⤵
                                                                                                      PID:4264
                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                                        6⤵
                                                                                                          PID:4764
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                                            7⤵
                                                                                                              PID:2208
                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                                                8⤵
                                                                                                                  PID:3916
                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                                                                  8⤵
                                                                                                                    PID:2736
                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                                                6⤵
                                                                                                                  PID:4080
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                                                    7⤵
                                                                                                                      PID:3576
                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                                                        8⤵
                                                                                                                          PID:4512
                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                                          8⤵
                                                                                                                            PID:1208
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        schtasks /CREATE /TN "gVRejLxWp" /SC once /ST 10:32:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                        6⤵
                                                                                                                        • Creates scheduled task(s)
                                                                                                                        PID:3028
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        schtasks /run /I /tn "gVRejLxWp"
                                                                                                                        6⤵
                                                                                                                          PID:2164
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          schtasks /DELETE /F /TN "gVRejLxWp"
                                                                                                                          6⤵
                                                                                                                            PID:3788
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\VeJLpCR.exe\" id /OOsite_idEEn 385118 /S" /V1 /F
                                                                                                                            6⤵
                                                                                                                            • Creates scheduled task(s)
                                                                                                                            PID:2468
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                                                                                    2⤵
                                                                                                                      PID:2972
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2028 -ip 2028
                                                                                                                    1⤵
                                                                                                                      PID:1928
                                                                                                                    • C:\Windows\SysWOW64\dialer.exe
                                                                                                                      "C:\Windows\system32\dialer.exe"
                                                                                                                      1⤵
                                                                                                                        PID:908
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3308 -ip 3308
                                                                                                                        1⤵
                                                                                                                          PID:2868
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3308 -ip 3308
                                                                                                                          1⤵
                                                                                                                            PID:5040
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                            1⤵
                                                                                                                              PID:4576
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                              1⤵
                                                                                                                                PID:1596
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2812 -ip 2812
                                                                                                                                1⤵
                                                                                                                                  PID:2468
                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                  1⤵
                                                                                                                                    PID:32
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                    1⤵
                                                                                                                                      PID:4776

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • C:\ProgramData\mozglue.dll

                                                                                                                                      Filesize

                                                                                                                                      593KB

                                                                                                                                      MD5

                                                                                                                                      c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                      SHA1

                                                                                                                                      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                      SHA256

                                                                                                                                      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                      SHA512

                                                                                                                                      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                    • C:\ProgramData\nss3.dll

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                      MD5

                                                                                                                                      1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                      SHA1

                                                                                                                                      6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                      SHA256

                                                                                                                                      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                      SHA512

                                                                                                                                      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      627073ee3ca9676911bee35548eff2b8

                                                                                                                                      SHA1

                                                                                                                                      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                                                                                      SHA256

                                                                                                                                      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                                                                                      SHA512

                                                                                                                                      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      d0c46cad6c0778401e21910bd6b56b70

                                                                                                                                      SHA1

                                                                                                                                      7be418951ea96326aca445b8dfe449b2bfa0dca6

                                                                                                                                      SHA256

                                                                                                                                      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

                                                                                                                                      SHA512

                                                                                                                                      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                      Filesize

                                                                                                                                      20KB

                                                                                                                                      MD5

                                                                                                                                      8726c00fc7329f25787030d9f3a86324

                                                                                                                                      SHA1

                                                                                                                                      6dbf8c871182e38fd0d1520f41a78648a159b8ab

                                                                                                                                      SHA256

                                                                                                                                      403d4d86c07e5591c10a2a23f10b7a28b57875bba1793dac2cd87ba2777742b1

                                                                                                                                      SHA512

                                                                                                                                      8ca7439b66681b91761203034a4a53bfd090ac8dadaf19cb741faaa1a704c970dbb85bd6013f4f8a2a0e6c7548eed44fd1091299ede473163c337aca61379cb4

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

                                                                                                                                      Filesize

                                                                                                                                      2.5MB

                                                                                                                                      MD5

                                                                                                                                      20d293b9bf23403179ca48086ba88867

                                                                                                                                      SHA1

                                                                                                                                      dedf311108f607a387d486d812514a2defbd1b9e

                                                                                                                                      SHA256

                                                                                                                                      fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                                                                                                                                      SHA512

                                                                                                                                      5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe

                                                                                                                                      Filesize

                                                                                                                                      1.9MB

                                                                                                                                      MD5

                                                                                                                                      b3f05009b53af6435e86cfd939717e82

                                                                                                                                      SHA1

                                                                                                                                      770877e7c5f03e8d684984fe430bdfcc2cf41b26

                                                                                                                                      SHA256

                                                                                                                                      3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

                                                                                                                                      SHA512

                                                                                                                                      d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\dbgcore.dll

                                                                                                                                      Filesize

                                                                                                                                      166KB

                                                                                                                                      MD5

                                                                                                                                      8b6f64e5d3a608b434079e50a1277913

                                                                                                                                      SHA1

                                                                                                                                      03f431fabf1c99a48b449099455c1575893d9f32

                                                                                                                                      SHA256

                                                                                                                                      926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

                                                                                                                                      SHA512

                                                                                                                                      c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\dbghelp.dll

                                                                                                                                      Filesize

                                                                                                                                      1.7MB

                                                                                                                                      MD5

                                                                                                                                      925ea07f594d3fce3f73ede370d92ef7

                                                                                                                                      SHA1

                                                                                                                                      f67ea921368c288a9d3728158c3f80213d89d7c2

                                                                                                                                      SHA256

                                                                                                                                      6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

                                                                                                                                      SHA512

                                                                                                                                      a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\opera_package

                                                                                                                                      Filesize

                                                                                                                                      99.0MB

                                                                                                                                      MD5

                                                                                                                                      152a1d1c87a787b3ead0b925d08a807c

                                                                                                                                      SHA1

                                                                                                                                      506fedcaaaf7e862f9cfff48ca0530b3698ac041

                                                                                                                                      SHA256

                                                                                                                                      7cb5e0904867d5f96701fa86d63d856c23ba5abb033f86d80daf67220eb9c6ec

                                                                                                                                      SHA512

                                                                                                                                      cec89df98e3a68c3666a708baa986306299281c937090969639dc48ee99f8e260b38ca839c3ef91c71b42c9ed94b8f6aaed50edae3b5f2c7e0f2661105c1b5ec

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD590.tmp\Install.exe

                                                                                                                                      Filesize

                                                                                                                                      6.4MB

                                                                                                                                      MD5

                                                                                                                                      ccdc5c743b6031e977a71cf919c0db7e

                                                                                                                                      SHA1

                                                                                                                                      f9e399475e158c6f2ea8ca2c991ffb37ba89ac30

                                                                                                                                      SHA256

                                                                                                                                      f08ebffa05fd0fee031986a37356aa91c55735e61e573e2005e705125192c44e

                                                                                                                                      SHA512

                                                                                                                                      f802cf236f75924271cafffd1be7319f2d1eaa26eecabc117a066f61a35c2acbbdcecf8bd93931ed61811b760a92695a4e2c291b5e81104bce1608d62ebee9f0

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSEF80.tmp\Install.exe

                                                                                                                                      Filesize

                                                                                                                                      6.7MB

                                                                                                                                      MD5

                                                                                                                                      b119ea556def66eaa9f751a650b45af0

                                                                                                                                      SHA1

                                                                                                                                      daf3fa0325b110183d0a233b4b0d1875f0b49ca8

                                                                                                                                      SHA256

                                                                                                                                      53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4

                                                                                                                                      SHA512

                                                                                                                                      08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403281259100213100.dll

                                                                                                                                      Filesize

                                                                                                                                      4.6MB

                                                                                                                                      MD5

                                                                                                                                      2c8ab707b79399f1cbaf2cd17003d614

                                                                                                                                      SHA1

                                                                                                                                      034bd6bbd7123627ca202b6b35b9018261fc03d5

                                                                                                                                      SHA256

                                                                                                                                      c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede

                                                                                                                                      SHA512

                                                                                                                                      d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nc3inxor.vz2.ps1

                                                                                                                                      Filesize

                                                                                                                                      60B

                                                                                                                                      MD5

                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                      SHA1

                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                      SHA256

                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                      SHA512

                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\u264.0.exe

                                                                                                                                      Filesize

                                                                                                                                      259KB

                                                                                                                                      MD5

                                                                                                                                      77d761b9bf240b7dc67c06208272e05e

                                                                                                                                      SHA1

                                                                                                                                      fb5682433d43c10333a5d368047ba61ab7f4d14f

                                                                                                                                      SHA256

                                                                                                                                      492f3d1cde4e25da81e94ceeb7cb8469740db841bf7158ad3ebed11ef73277f0

                                                                                                                                      SHA512

                                                                                                                                      7314da44c30e98d647050e1db32030fb9dbdb18c1a899cccaec0337b4ecda5a53fb4e63e61780a6cf4059066bd5e55c9e426efa525ff79eed8d5a01f8488f76c

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\u264.1.exe

                                                                                                                                      Filesize

                                                                                                                                      1.7MB

                                                                                                                                      MD5

                                                                                                                                      eee5ddcffbed16222cac0a1b4e2e466e

                                                                                                                                      SHA1

                                                                                                                                      28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

                                                                                                                                      SHA256

                                                                                                                                      2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

                                                                                                                                      SHA512

                                                                                                                                      8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                                      Filesize

                                                                                                                                      40B

                                                                                                                                      MD5

                                                                                                                                      3e0aaee17d4aecbea4cfd7df4502729e

                                                                                                                                      SHA1

                                                                                                                                      acdd4af0679fd5e5588b27eab07f9970a68f30d9

                                                                                                                                      SHA256

                                                                                                                                      ac68eadb8eba1eb00c5a68a4360b3aca8e3325a4a0ab3a6df34270c2251e13cb

                                                                                                                                      SHA512

                                                                                                                                      922cfa86bcdb0280e78f817aaff612df32725ee81705a9f5c2b56161dc34b7b0e24888ccbabadaacecd38703a56d3c210ec9259c24fdf1992b39763d20bcbd60

                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                                                                                                                                      Filesize

                                                                                                                                      128B

                                                                                                                                      MD5

                                                                                                                                      11bb3db51f701d4e42d3287f71a6a43e

                                                                                                                                      SHA1

                                                                                                                                      63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                                                                                                      SHA256

                                                                                                                                      6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                                                                                                      SHA512

                                                                                                                                      907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                                                                                                    • C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe

                                                                                                                                      Filesize

                                                                                                                                      5.1MB

                                                                                                                                      MD5

                                                                                                                                      886e5079e4a78927fe60ebfa27c5cbba

                                                                                                                                      SHA1

                                                                                                                                      cb0ef35bd0c5112492a2e80aeaa580f2e04b4bda

                                                                                                                                      SHA256

                                                                                                                                      d4367b796b5667de7ef49f081508fcda4614d046d86994bd69e151e0440c4e9e

                                                                                                                                      SHA512

                                                                                                                                      307975f8c61eeef8530cf7310cb790b2beaa92cf45525bf54df15cfaf5d7cd85abba2be053bc421adb8dbe4328fac307bcec0a6df12c2f11c32e1bacd22b2739

                                                                                                                                    • C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe

                                                                                                                                      Filesize

                                                                                                                                      437KB

                                                                                                                                      MD5

                                                                                                                                      7960d8afbbac06f216cceeb1531093bb

                                                                                                                                      SHA1

                                                                                                                                      008221bf66a0749447cffcb86f2d1ec80e23fc76

                                                                                                                                      SHA256

                                                                                                                                      f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84

                                                                                                                                      SHA512

                                                                                                                                      35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

                                                                                                                                    • C:\Users\Admin\Pictures\FkpJz6UarxCcXJYc80rpoMH9.exe

                                                                                                                                      Filesize

                                                                                                                                      7KB

                                                                                                                                      MD5

                                                                                                                                      5b423612b36cde7f2745455c5dd82577

                                                                                                                                      SHA1

                                                                                                                                      0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                                                                                                      SHA256

                                                                                                                                      e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                                                                                                      SHA512

                                                                                                                                      c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                                                                                                    • C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe

                                                                                                                                      Filesize

                                                                                                                                      404KB

                                                                                                                                      MD5

                                                                                                                                      c17df3b36319b6b84e52bdce820abf10

                                                                                                                                      SHA1

                                                                                                                                      eea9d0ffcf2112b098bc2cca88d2011f466298ec

                                                                                                                                      SHA256

                                                                                                                                      37681e9a5d6ab77924f9b43c5f717ff63cc5bece2116c05bd382089f22137157

                                                                                                                                      SHA512

                                                                                                                                      b08936a50a618ef03c4367b442febe400193ddfd9e033009b00e8823aad1f68d38415624f4a22144ce9cd12d68dd52ffbfd9e1e5e8c2d2c13f1e3312c9dc68df

                                                                                                                                    • C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe

                                                                                                                                      Filesize

                                                                                                                                      4.2MB

                                                                                                                                      MD5

                                                                                                                                      db2472ac77f8643d97782704e54c19dc

                                                                                                                                      SHA1

                                                                                                                                      0c618c3f12f5bbe4983431210f9148e58a5f965b

                                                                                                                                      SHA256

                                                                                                                                      9100d2cfcd9248cfc577a35519d108146f0358e81ba15432544f76b7113951b1

                                                                                                                                      SHA512

                                                                                                                                      dbffd3e0f20e2835735f65f665f491ac9da0ceeaff6441364d8514c75bd635ce4c99dc7d3fcf96ecbbbd7460d8bbee5e6e3bfb953ce43a8be496f1c9121c50c2

                                                                                                                                    • C:\Users\Admin\Pictures\Zs7JzICiQb8rN1LWDoq1oFuC.exe

                                                                                                                                      Filesize

                                                                                                                                      7.5MB

                                                                                                                                      MD5

                                                                                                                                      fd0048f4e2d30786133d001b54f4a72f

                                                                                                                                      SHA1

                                                                                                                                      a7135f8891dc1e09d66bd4fc8e06eca519dcdf49

                                                                                                                                      SHA256

                                                                                                                                      c79aae6d95db14bf3827cb783cd7bf4354f1971af2e55d94a83b752080f9aae0

                                                                                                                                      SHA512

                                                                                                                                      58dfbcd6eeead17b91b27b65588737a1c61485a25a5a730cab60defc3a629b4dd8d45c635b2c21376a1145122bc95d500aab5628865d5af3d563254aa7cf5bef

                                                                                                                                    • C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe

                                                                                                                                      Filesize

                                                                                                                                      3.2MB

                                                                                                                                      MD5

                                                                                                                                      4204b9d4c4df5c4b4d67922db24f342a

                                                                                                                                      SHA1

                                                                                                                                      9255b5e94028f3f55adda2576d60bd39452eaf08

                                                                                                                                      SHA256

                                                                                                                                      62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414

                                                                                                                                      SHA512

                                                                                                                                      0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423

                                                                                                                                    • C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe

                                                                                                                                      Filesize

                                                                                                                                      4.2MB

                                                                                                                                      MD5

                                                                                                                                      808a710a267e8394e802281380ca0b59

                                                                                                                                      SHA1

                                                                                                                                      151555028550b912c0bef786fe1b99e3437dde72

                                                                                                                                      SHA256

                                                                                                                                      31fa6769cb32f90dfa2809349040c227bd88f3a553bc50915656f60863b86f34

                                                                                                                                      SHA512

                                                                                                                                      bfcdc6e2f429569b0ebf4bf8e1592ed28f85467a90554d7796c11f4e8aebc0ab409be9dd75189a25c2fa988534c1be6eb073dfec7637c6c4b58c11a7ad3b3a25

                                                                                                                                    • C:\Windows\System32\GroupPolicy\gpt.ini

                                                                                                                                      Filesize

                                                                                                                                      127B

                                                                                                                                      MD5

                                                                                                                                      8ef9853d1881c5fe4d681bfb31282a01

                                                                                                                                      SHA1

                                                                                                                                      a05609065520e4b4e553784c566430ad9736f19f

                                                                                                                                      SHA256

                                                                                                                                      9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                                                      SHA512

                                                                                                                                      5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                                                    • C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job

                                                                                                                                      Filesize

                                                                                                                                      522B

                                                                                                                                      MD5

                                                                                                                                      c1cbd9154e833dcd9b22bb5d52ba865a

                                                                                                                                      SHA1

                                                                                                                                      0171f2a73a2ca07d7978aa827c284b423f5b1363

                                                                                                                                      SHA256

                                                                                                                                      5333685bbf1e775eccdbf2c71e97eff617ae98d1bf76bb8a1bf70ed1555d71dc

                                                                                                                                      SHA512

                                                                                                                                      903b7ad717c782436bca250ebebd8a7c501e163fb1809d34f6ac288fc6295f4d3a6cbbf76e408a5860a6363a626d860a6031c7bcc100fd8f535365613f9bc718

                                                                                                                                    • C:\Windows\system32\GroupPolicy\gpt.ini

                                                                                                                                      Filesize

                                                                                                                                      268B

                                                                                                                                      MD5

                                                                                                                                      a62ce44a33f1c05fc2d340ea0ca118a4

                                                                                                                                      SHA1

                                                                                                                                      1f03eb4716015528f3de7f7674532c1345b2717d

                                                                                                                                      SHA256

                                                                                                                                      9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                                                                                                      SHA512

                                                                                                                                      9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                                                                                                    • memory/348-18-0x0000023EFB450000-0x0000023EFB460000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/348-5-0x0000023EE2FC0000-0x0000023EE2FE2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                    • memory/348-14-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/348-15-0x0000023EFB450000-0x0000023EFB460000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/348-22-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/348-17-0x0000023EFB450000-0x0000023EFB460000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/596-307-0x0000000010000000-0x00000000105E5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.9MB

                                                                                                                                    • memory/872-275-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/872-213-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/872-430-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/872-115-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/872-114-0x0000000002C70000-0x000000000306C000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/908-197-0x0000000002960000-0x0000000002D60000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/908-211-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                    • memory/908-241-0x0000000002960000-0x0000000002D60000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/908-220-0x0000000076290000-0x00000000764E2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.3MB

                                                                                                                                    • memory/908-263-0x0000000002960000-0x0000000002D60000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/908-265-0x000000000296F000-0x0000000002D60000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      3.9MB

                                                                                                                                    • memory/908-266-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                    • memory/908-174-0x0000000000CC0000-0x0000000000CC9000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      36KB

                                                                                                                                    • memory/1792-0-0x0000024963D80000-0x0000024963D8C000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      48KB

                                                                                                                                    • memory/1792-23-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/1792-1-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/1792-3-0x00000249008E0000-0x000002490093E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      376KB

                                                                                                                                    • memory/1792-2-0x000002497E390000-0x000002497E3A0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/1860-272-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/1860-198-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/1860-112-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/1860-421-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/1860-111-0x0000000002AD0000-0x0000000002ECC000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/2016-4-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/2016-16-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/2016-21-0x0000000005360000-0x0000000005370000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/2016-96-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/2028-125-0x0000000002500000-0x0000000004500000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      32.0MB

                                                                                                                                    • memory/2028-251-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/2028-116-0x0000000000130000-0x000000000019E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      440KB

                                                                                                                                    • memory/2028-113-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/2028-122-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/2208-404-0x0000000002920000-0x0000000002956000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                    • memory/2208-407-0x0000000005800000-0x0000000005866000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      408KB

                                                                                                                                    • memory/2208-470-0x0000000004AF0000-0x0000000004B00000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/2208-455-0x0000000006120000-0x000000000616C000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      304KB

                                                                                                                                    • memory/2208-450-0x0000000004AF0000-0x0000000004B00000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/2208-443-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/2208-412-0x00000000058E0000-0x0000000005C37000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      3.3MB

                                                                                                                                    • memory/2780-225-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-173-0x00007FFECC6E0000-0x00007FFECC79D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      756KB

                                                                                                                                    • memory/2780-228-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-264-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-431-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-149-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-176-0x00007FFECAF50000-0x00007FFECB2C4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      3.5MB

                                                                                                                                    • memory/2780-229-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-226-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-175-0x00007FFE80000000-0x00007FFE80002000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                    • memory/2780-279-0x00007FFE80030000-0x00007FFE80031000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2780-280-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                    • memory/2780-217-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-206-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2780-204-0x00007FF7658D0000-0x00007FF766331000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.4MB

                                                                                                                                    • memory/2808-442-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.2MB

                                                                                                                                    • memory/2808-314-0x0000000000400000-0x0000000000930000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.2MB

                                                                                                                                    • memory/2808-318-0x00000000028F0000-0x00000000028F1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/2812-63-0x0000000000C30000-0x0000000000D30000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1024KB

                                                                                                                                    • memory/2812-260-0x0000000000400000-0x0000000000B0E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.1MB

                                                                                                                                    • memory/2812-343-0x0000000000400000-0x0000000000B0E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.1MB

                                                                                                                                    • memory/2812-65-0x0000000002820000-0x000000000288E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      440KB

                                                                                                                                    • memory/2812-165-0x0000000000C30000-0x0000000000D30000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1024KB

                                                                                                                                    • memory/2812-161-0x0000000000400000-0x0000000000B0E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.1MB

                                                                                                                                    • memory/2812-71-0x0000000000400000-0x0000000000B0E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.1MB

                                                                                                                                    • memory/3308-126-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      436KB

                                                                                                                                    • memory/3308-170-0x0000000004190000-0x0000000004590000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/3308-169-0x0000000076290000-0x00000000764E2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.3MB

                                                                                                                                    • memory/3308-162-0x0000000004190000-0x0000000004590000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/3308-166-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                    • memory/3308-119-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      436KB

                                                                                                                                    • memory/3308-159-0x0000000004190000-0x0000000004590000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/3308-123-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      436KB

                                                                                                                                    • memory/3308-227-0x0000000004190000-0x0000000004590000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/4060-181-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/4060-409-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/4060-444-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/4060-271-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/4060-94-0x0000000002CD0000-0x00000000030CC000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/4060-95-0x0000000000400000-0x0000000000ED4000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/4060-461-0x0000000002CD0000-0x00000000030CC000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4.0MB

                                                                                                                                    • memory/4060-97-0x00000000030D0000-0x00000000039BB000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      8.9MB

                                                                                                                                    • memory/4264-316-0x0000000010000000-0x00000000105E5000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.9MB

                                                                                                                                    • memory/4444-468-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/4444-406-0x0000000004EE0000-0x0000000004F02000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                    • memory/4444-408-0x0000000005970000-0x00000000059D6000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      408KB

                                                                                                                                    • memory/4444-469-0x0000000002A00000-0x0000000002A10000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/4444-454-0x0000000005E00000-0x0000000005E1E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      120KB

                                                                                                                                    • memory/4640-313-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      972KB

                                                                                                                                    • memory/4640-242-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1024KB

                                                                                                                                    • memory/4640-440-0x0000000000400000-0x0000000000AEA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      6.9MB

                                                                                                                                    • memory/4640-270-0x00000000026F0000-0x0000000002717000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      156KB

                                                                                                                                    • memory/4640-267-0x0000000000400000-0x0000000000AEA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      6.9MB

                                                                                                                                    • memory/4984-463-0x0000000005080000-0x0000000005090000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/4984-464-0x0000000005080000-0x0000000005090000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/4984-462-0x0000000074410000-0x0000000074BC1000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      7.7MB

                                                                                                                                    • memory/4984-405-0x00000000056C0000-0x0000000005CEA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      6.2MB