Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-03-2024 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe

  • Size

    1.8MB

  • MD5

    8cef71906c123049c0e3a0ebd9f420e3

  • SHA1

    60f4c13bc04c536f56b6fcb82fca6ebd556084d6

  • SHA256

    5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71

  • SHA512

    6561c864d6c684e394160bcec82c36a12a8dc87070f224eae28d08ec92ceff29dedf84cc9307d7f1ccc035ffe4339fb67285e0756b72426658d70710031eacff

  • SSDEEP

    49152:VN3o9vO1DXwG/lKa1y2In8b51LGFgxzcy9mVc3jG2A:VBo9vk7saHb51LGFgxwWmAC2

Score
10/10
amadeyredlinerhadamanthysriseprozgratdiscoveryevasioninfostealerpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect ZGRat V1 27 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 30 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 11 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2932
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
          PID:2368
      • C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe
        "C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe"
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
          "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
          2⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe
            "C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            PID:232
          • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
            "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
            3⤵
              PID:4332
            • C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
              "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1616
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
                4⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:1484
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd8
                  5⤵
                    PID:1812
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
                    5⤵
                      PID:1464
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:864
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
                      5⤵
                        PID:4072
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
                        5⤵
                          PID:4728
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
                          5⤵
                            PID:2268
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
                            5⤵
                              PID:4968
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
                              5⤵
                                PID:2452
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
                                5⤵
                                  PID:4232
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                                  5⤵
                                    PID:996
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:8
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5880
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                                    5⤵
                                      PID:3868
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
                                      5⤵
                                        PID:348
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:5400
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                                        5⤵
                                          PID:5688
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                                          5⤵
                                            PID:5680
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
                                          4⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:5088
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd8
                                            5⤵
                                              PID:3632
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,12120944477741708760,4476226757659418759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:3
                                              5⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2900
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                            4⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1528
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd8
                                              5⤵
                                                PID:1800
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1769692498864712888,10771721504036366289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2992
                                          • C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
                                            3⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • Drops file in Windows directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5496
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                            3⤵
                                            • Loads dropped DLL
                                            PID:5316
                                            • C:\Windows\system32\rundll32.exe
                                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                              4⤵
                                              • Blocklisted process makes network request
                                              • Loads dropped DLL
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5344
                                              • C:\Windows\system32\netsh.exe
                                                netsh wlan show profiles
                                                5⤵
                                                  PID:5348
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal
                                                  5⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2580
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                              3⤵
                                              • Blocklisted process makes network request
                                              • Loads dropped DLL
                                              PID:5956
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4872
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:124
                                            • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                              C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                              1⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Adds Run key to start application
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5300
                                              • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
                                                2⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                PID:4988
                                              • C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:5828
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                  3⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5940
                                                  • C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
                                                    "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Modifies system certificate store
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5632
                                                  • C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
                                                    "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:6108
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
                                                    4⤵
                                                      PID:5928
                                                      • C:\Windows\SysWOW64\choice.exe
                                                        choice /C Y /N /D Y /T 3
                                                        5⤵
                                                          PID:4864
                                                  • C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
                                                    2⤵
                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                    • Checks BIOS information in registry
                                                    • Executes dropped EXE
                                                    • Identifies Wine through registry keys
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:5140
                                                  • C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2184
                                                  • C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:6000
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                                                    2⤵
                                                    • Loads dropped DLL
                                                    PID:5876
                                                    • C:\Windows\system32\rundll32.exe
                                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                                                      3⤵
                                                      • Blocklisted process makes network request
                                                      • Loads dropped DLL
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5928
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh wlan show profiles
                                                        4⤵
                                                          PID:5572
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal
                                                          4⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5808
                                                    • C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:2776
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F
                                                        3⤵
                                                        • Creates scheduled task(s)
                                                        PID:5156
                                                    • C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5628
                                                    • C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      PID:2064
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                        3⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2096
                                                    • C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      PID:5980
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                        3⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3012
                                                        • C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe
                                                          "C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          PID:5660
                                                          • C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe"
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • Checks processor information in registry
                                                            PID:1456
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"
                                                              6⤵
                                                                PID:5892
                                                                • C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"
                                                                  7⤵
                                                                    PID:5824
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe
                                                                      8⤵
                                                                        PID:6020
                                                                        • C:\Windows\SysWOW64\PING.EXE
                                                                          ping 2.2.2.2 -n 1 -w 3000
                                                                          9⤵
                                                                          • Runs ping.exe
                                                                          PID:3456
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 3520
                                                                    6⤵
                                                                    • Program crash
                                                                    PID:4872
                                                                • C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Checks SCSI registry key(s)
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:1236
                                                                  • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
                                                                    6⤵
                                                                      PID:3192
                                                                • C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe
                                                                  "C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  PID:1636
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell -nologo -noprofile
                                                                    5⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3612
                                                                  • C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe
                                                                    "C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"
                                                                    5⤵
                                                                      PID:2468
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -nologo -noprofile
                                                                        6⤵
                                                                          PID:4252
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                                          6⤵
                                                                            PID:5252
                                                                            • C:\Windows\system32\netsh.exe
                                                                              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                                              7⤵
                                                                              • Modifies Windows Firewall
                                                                              PID:5128
                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -nologo -noprofile
                                                                            6⤵
                                                                              PID:2264
                                                                        • C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe
                                                                          "C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          PID:4700
                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -nologo -noprofile
                                                                            5⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3200
                                                                          • C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe
                                                                            "C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"
                                                                            5⤵
                                                                              PID:3432
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell -nologo -noprofile
                                                                                6⤵
                                                                                  PID:572
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                                                  6⤵
                                                                                    PID:432
                                                                                    • C:\Windows\system32\netsh.exe
                                                                                      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                                                      7⤵
                                                                                      • Modifies Windows Firewall
                                                                                      PID:1832
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -nologo -noprofile
                                                                                    6⤵
                                                                                      PID:948
                                                                                • C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe
                                                                                  "C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:2884
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                    5⤵
                                                                                      PID:5664
                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                      5⤵
                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                      PID:4732
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 544
                                                                                        6⤵
                                                                                        • Program crash
                                                                                        PID:5876
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 556
                                                                                        6⤵
                                                                                        • Program crash
                                                                                        PID:1824
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 872
                                                                                      5⤵
                                                                                      • Program crash
                                                                                      PID:1680
                                                                                  • C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe
                                                                                    "C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"
                                                                                    4⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5932
                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -nologo -noprofile
                                                                                      5⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4484
                                                                                    • C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe
                                                                                      "C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"
                                                                                      5⤵
                                                                                        PID:5564
                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -nologo -noprofile
                                                                                          6⤵
                                                                                            PID:5036
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                                                            6⤵
                                                                                              PID:3208
                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                                                                7⤵
                                                                                                • Modifies Windows Firewall
                                                                                                PID:2460
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -nologo -noprofile
                                                                                              6⤵
                                                                                                PID:5916
                                                                                          • C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe
                                                                                            "C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe"
                                                                                            4⤵
                                                                                            • Modifies firewall policy service
                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                            • Checks BIOS information in registry
                                                                                            • Executes dropped EXE
                                                                                            • Checks whether UAC is enabled
                                                                                            • Drops file in System32 directory
                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                            PID:6108
                                                                                          • C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
                                                                                            "C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe" --silent --allusers=0
                                                                                            4⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            • Enumerates connected drives
                                                                                            PID:6000
                                                                                            • C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
                                                                                              C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b8ce1d0,0x6b8ce1dc,0x6b8ce1e8
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              PID:4236
                                                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe" --version
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              PID:3176
                                                                                            • C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
                                                                                              "C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6000 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329120436" --session-guid=3a216780-4c1f-45f8-b410-6c7859a29b85 --server-tracking-blob=MWIxZDI5ZDE5MWFmNzZiZDlhODZjZTNmNmU4NmM3NzM1OGYwNjgzNDJiYTNhYWNlZTlkMjcxOWMyNzczNWI0Mjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MTM4NjguMjc2NSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImEyNDQzNzlmLWIyYWUtNDQ2My1hNTg0LWM2MTA5OWI4MmRmNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • Enumerates connected drives
                                                                                              PID:5860
                                                                                              • C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
                                                                                                C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6af4e1d0,0x6af4e1dc,0x6af4e1e8
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                • Loads dropped DLL
                                                                                                PID:5056
                                                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                                                                                              5⤵
                                                                                                PID:3440
                                                                                              • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe" --version
                                                                                                5⤵
                                                                                                  PID:1360
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x1140040,0x114004c,0x1140058
                                                                                                    6⤵
                                                                                                      PID:1896
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                                                3⤵
                                                                                                  PID:2432
                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                                                                                                2⤵
                                                                                                • Blocklisted process makes network request
                                                                                                • Loads dropped DLL
                                                                                                PID:5704
                                                                                            • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                              1⤵
                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                              • Checks BIOS information in registry
                                                                                              • Executes dropped EXE
                                                                                              • Identifies Wine through registry keys
                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:5396
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2884 -ip 2884
                                                                                              1⤵
                                                                                                PID:2368
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4732 -ip 4732
                                                                                                1⤵
                                                                                                  PID:5784
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4732 -ip 4732
                                                                                                  1⤵
                                                                                                    PID:1072
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                    1⤵
                                                                                                      PID:4556
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                      1⤵
                                                                                                        PID:4992
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
                                                                                                        1⤵
                                                                                                          PID:4916
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                          1⤵
                                                                                                            PID:1236
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1456 -ip 1456
                                                                                                            1⤵
                                                                                                              PID:5544

                                                                                                            Network

                                                                                                            MITRE ATT&CK Matrix ATT&CK v13

                                                                                                            Initial Access

                                                                                                            Execution

                                                                                                            Scheduled Task/Job

                                                                                                            1
                                                                                                            T1053

                                                                                                            Persistence

                                                                                                            Create or Modify System Process

                                                                                                            2
                                                                                                            T1543

                                                                                                            Windows Service

                                                                                                            2
                                                                                                            T1543.003

                                                                                                            Boot or Logon Autostart Execution

                                                                                                            1
                                                                                                            T1547

                                                                                                            Registry Run Keys / Startup Folder

                                                                                                            1
                                                                                                            T1547.001

                                                                                                            Scheduled Task/Job

                                                                                                            1
                                                                                                            T1053

                                                                                                            Privilege Escalation

                                                                                                            Create or Modify System Process

                                                                                                            2
                                                                                                            T1543

                                                                                                            Windows Service

                                                                                                            2
                                                                                                            T1543.003

                                                                                                            Boot or Logon Autostart Execution

                                                                                                            1
                                                                                                            T1547

                                                                                                            Registry Run Keys / Startup Folder

                                                                                                            1
                                                                                                            T1547.001

                                                                                                            Scheduled Task/Job

                                                                                                            1
                                                                                                            T1053

                                                                                                            Defense Evasion

                                                                                                            Modify Registry

                                                                                                            3
                                                                                                            T1112

                                                                                                            Virtualization/Sandbox Evasion

                                                                                                            2
                                                                                                            T1497

                                                                                                            Impair Defenses

                                                                                                            1
                                                                                                            T1562

                                                                                                            Disable or Modify System Firewall

                                                                                                            1
                                                                                                            T1562.004

                                                                                                            Subvert Trust Controls

                                                                                                            1
                                                                                                            T1553

                                                                                                            Install Root Certificate

                                                                                                            1
                                                                                                            T1553.004

                                                                                                            Credential Access

                                                                                                            Unsecured Credentials

                                                                                                            4
                                                                                                            T1552

                                                                                                            Credentials In Files

                                                                                                            3
                                                                                                            T1552.001

                                                                                                            Credentials in Registry

                                                                                                            1
                                                                                                            T1552.002

                                                                                                            Discovery

                                                                                                            Query Registry

                                                                                                            8
                                                                                                            T1012

                                                                                                            Virtualization/Sandbox Evasion

                                                                                                            2
                                                                                                            T1497

                                                                                                            System Information Discovery

                                                                                                            7
                                                                                                            T1082

                                                                                                            Peripheral Device Discovery

                                                                                                            2
                                                                                                            T1120

                                                                                                            Remote System Discovery

                                                                                                            1
                                                                                                            T1018

                                                                                                            Lateral Movement

                                                                                                            Collection

                                                                                                            Data from Local System

                                                                                                            4
                                                                                                            T1005

                                                                                                            Exfiltration

                                                                                                            Command and Control

                                                                                                            Web Service

                                                                                                            1
                                                                                                            T1102

                                                                                                            Impact

                                                                                                            Resource Development

                                                                                                            Reconnaissance

                                                                                                            Replay Monitor

                                                                                                            Loading Replay Monitor...

                                                                                                            Downloads

                                                                                                            • C:\ProgramData\Are.docx
                                                                                                              Filesize

                                                                                                              11KB

                                                                                                              MD5

                                                                                                              a33e5b189842c5867f46566bdbf7a095

                                                                                                              SHA1

                                                                                                              e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                                              SHA256

                                                                                                              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                                              SHA512

                                                                                                              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                                              Download Submit
                                                                                                            • C:\ProgramData\EHJDGCBGDBKJKFHIECBAEHIDHJ
                                                                                                              Filesize

                                                                                                              20KB

                                                                                                              MD5

                                                                                                              1bd071fa20b30ee9fcf5969ec0be08d5

                                                                                                              SHA1

                                                                                                              aac9930201b9d93cba56f07457a8d4c0e1a18bbb

                                                                                                              SHA256

                                                                                                              7ae90e60e93153baa01ba343dfc0316a39737ba7e45e90006d7b77065a171793

                                                                                                              SHA512

                                                                                                              1e20c45822ed054db8a8f0151d755aa2dae9d7b25c733d5dbb96bb515166a4e4b3ec47a2866515c0f727f7f5857366c9d9c32d224cab25715ba0bd4c65297b56

                                                                                                              Download Submit
                                                                                                            • C:\ProgramData\mozglue.dll
                                                                                                              Filesize

                                                                                                              593KB

                                                                                                              MD5

                                                                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                                                                              SHA1

                                                                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                              SHA256

                                                                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                              SHA512

                                                                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2c35519b-81ac-482f-a424-3d1109b2e16c.tmp
                                                                                                              Filesize

                                                                                                              10KB

                                                                                                              MD5

                                                                                                              e94ad5abcd5726b029556585b8b720e7

                                                                                                              SHA1

                                                                                                              577c3547b01d4cf77a3df167a7af0d65978b91b5

                                                                                                              SHA256

                                                                                                              ba23441eed96f97fe93864194084b405afaec62c57b561f5dbfb87bdf9f47c81

                                                                                                              SHA512

                                                                                                              054dfb6424d33034e7585caea3fb6eef6f740af008d6d0c81d3a6d8f0e5113b876b0d4f940b7cc4c6da5c4010410ff4b90cc59a327bdc281275e02cef64b1fd9

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                              Filesize

                                                                                                              152B

                                                                                                              MD5

                                                                                                              7656e81014b9872f6a1697828a9cc60f

                                                                                                              SHA1

                                                                                                              60e1b4b1574d100e821bdfe8c46dd82c91196dcd

                                                                                                              SHA256

                                                                                                              885097327a3e85d7476d570a4c4261e78261fa6560c4f99e7e815b51d5c9fb67

                                                                                                              SHA512

                                                                                                              72931405c2b50a0776885b6e3d445d71c0f2dc81774bb4794c34cf983f334b869d20870edbd6a3804c4c0a0ae7cde74632a35f0b2f8385fd29d4f63c691a4353

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                              Filesize

                                                                                                              152B

                                                                                                              MD5

                                                                                                              ec7568123e3bee98a389e115698dffeb

                                                                                                              SHA1

                                                                                                              1542627dbcbaf7d93fcadb771191f18c2248238c

                                                                                                              SHA256

                                                                                                              5b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75

                                                                                                              SHA512

                                                                                                              4a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\974b3db7-771a-4026-93d6-bd8870ce2246.tmp
                                                                                                              Filesize

                                                                                                              6KB

                                                                                                              MD5

                                                                                                              ca6335cdf4101904dd3489e1896d665c

                                                                                                              SHA1

                                                                                                              077748a07347108d14d28b53c07906c575b5295a

                                                                                                              SHA256

                                                                                                              a05ad8fad245f2040497f5afce845902be939c3d73f6e979268cf08889337cc9

                                                                                                              SHA512

                                                                                                              8601d37dba10fae7f83171195a02a8ce11ae6241fb1f2aafdf44f7b6bff4c6ce31da963ab79a5b73defcbfd6c4295b975151ade3d43a6f8dfec7f853146bd48a

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                              Filesize

                                                                                                              960B

                                                                                                              MD5

                                                                                                              b62078a421c7a02e22a29df55dddd948

                                                                                                              SHA1

                                                                                                              cdc8040f788f8e08f913a5a6865366942f7b18ad

                                                                                                              SHA256

                                                                                                              4eeb8c769e946230b84f940cfbe29b91abf4398a93833e4750a1f5e2a9aabdde

                                                                                                              SHA512

                                                                                                              5fdb2ea0dc5587bcb4a1a694b4236d9dcbc2844b0f93bbb99d35e187e28ccd37a90c9592737465510412ef05c3ace92f974733b992e300d4551ad1712611c7fa

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              8c26a95fca7aef0b5bc1cdf6a935afe1

                                                                                                              SHA1

                                                                                                              17233ceb6c08c616aebe42a0b8e3a336b5024c91

                                                                                                              SHA256

                                                                                                              2ba4aa18c4d904decb833f5851e12bf41f14e87520eefae419e82e61630f6eef

                                                                                                              SHA512

                                                                                                              acfba72702e05b1b93ffac9a0e43773192599dc9130420c80afa224b55561af651ee325a48461ab935fccffd4778e63d12c16c60d50069f2a95a1dcfbce80e06

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                              Filesize

                                                                                                              111B

                                                                                                              MD5

                                                                                                              285252a2f6327d41eab203dc2f402c67

                                                                                                              SHA1

                                                                                                              acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                              SHA256

                                                                                                              5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                              SHA512

                                                                                                              11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              MD5

                                                                                                              fc0425fd99b9675a7a613368796e6e32

                                                                                                              SHA1

                                                                                                              3d1d9876812266f5e09b8cfaad6e109871d25475

                                                                                                              SHA256

                                                                                                              8d07c0ee64b501fb1c60ce99ed40baefdb604e50190579ae193fa954c01a8470

                                                                                                              SHA512

                                                                                                              cca79cacb58265d2192164f1d81487994a5a0a76c4eb69688fbc11c667cae07b93eecfc11c956f3459bf9e761051fe17c0f1cb3271db4e3a58f771e221ed35d5

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                                                                              Filesize

                                                                                                              25KB

                                                                                                              MD5

                                                                                                              0ba15f72ffb0a37243558588d3e78221

                                                                                                              SHA1

                                                                                                              814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0

                                                                                                              SHA256

                                                                                                              3d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a

                                                                                                              SHA512

                                                                                                              02b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                              Filesize

                                                                                                              707B

                                                                                                              MD5

                                                                                                              ae611f6640d482f791295fb0d2ba585c

                                                                                                              SHA1

                                                                                                              665f0ea7c9893c52e42ffe94c86b409658a5536e

                                                                                                              SHA256

                                                                                                              392e766cede4ead76b1c5ab060345e49a21f6cf8a40771d314c477870514ad3a

                                                                                                              SHA512

                                                                                                              b679d9ea6acccc298708970659f97f915f852d80c93c763e971225aab085a339317ff1fc4e070904e79bb8fea03d41a920b03f320a0147018d9408906c24decb

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                              Filesize

                                                                                                              707B

                                                                                                              MD5

                                                                                                              de230f8fadb2a61f91c13b31935186b4

                                                                                                              SHA1

                                                                                                              5ad23991be84a0ad8d39ffe1bd49891e3557f334

                                                                                                              SHA256

                                                                                                              89b48db8c0ffaa0c6f006686532dc225e10a33b0351657e07db595f0fd986754

                                                                                                              SHA512

                                                                                                              74d09181f9961261f381f9d4f8f18663c52843e677ca2c414480ce9dc3a556697df2eeb0f0da1b63b5c23c225d466d36603bea44f8bc8e75ba85e5fc82cba797

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                              Filesize

                                                                                                              705B

                                                                                                              MD5

                                                                                                              8a57c865ac8303bebcd98e17bbb97b05

                                                                                                              SHA1

                                                                                                              3008643b1a1af5124ebcaea0121b9c368d20664c

                                                                                                              SHA256

                                                                                                              1d2213848f133e6257cd58a491fa3cd0d945032f649eea3218a9e39dc6742d61

                                                                                                              SHA512

                                                                                                              9806ba0ed6eef6e8f111f0a1e428044066aefd56b7b0f10ebe93dd91cb1dd93897732affa317df5e4a5a2cbd874dde7ec749fbe24cd73f3d7fe588488fd2102b

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec54.TMP
                                                                                                              Filesize

                                                                                                              707B

                                                                                                              MD5

                                                                                                              bbe0a2aecf77a1dfe16d1589c39a5350

                                                                                                              SHA1

                                                                                                              7b12eb4a79751d08c52c4c395214f30f927ac38a

                                                                                                              SHA256

                                                                                                              419c35df5a638d50e5c488fe9a1bfe59c1d590e69bb7d3c8eee7efe491098c1c

                                                                                                              SHA512

                                                                                                              f87c23ea629d3019d4f9292dab7d35276dee80bbdcc719a87c4b59a966eded1da2dd19715e3b72bcf5ea884062106191e6b955d8aebfefbc49036d6417ed071c

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                              Filesize

                                                                                                              16B

                                                                                                              MD5

                                                                                                              6752a1d65b201c13b62ea44016eb221f

                                                                                                              SHA1

                                                                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                              SHA256

                                                                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                              SHA512

                                                                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                              Filesize

                                                                                                              10KB

                                                                                                              MD5

                                                                                                              20cff694a779f38820e5eb1d826673f0

                                                                                                              SHA1

                                                                                                              2f8b897aa176e9cf38c405f343947aebf07623fc

                                                                                                              SHA256

                                                                                                              acf6f00819e527d62d0b047fc555958b90abd1a2c2c80df923a9c37384bf8f70

                                                                                                              SHA512

                                                                                                              36c765fd3f9758da90ce2be7a94f74e07b19ba7d9fc664ea00c14abd1b97b95873c9f90ca4908cdc3d6f116757d2d4109d84c0306300da909356d38c451039ec

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              0b5e151c3ed57f27b9e8d43e4fdafb9f

                                                                                                              SHA1

                                                                                                              f3a115e022abfc0a3f3be704b3bd7dc7c64c1178

                                                                                                              SHA256

                                                                                                              8eeb0ab7bde4e50ee4e56d46bd4c8efdb7fdfe7500f6bd548d996f0f498025d5

                                                                                                              SHA512

                                                                                                              1bcb4ca3adff6234eed72d60ae1a11f5702499a35e337d1ba69a516c800db2a77844380a26b2426bd82e69dd7fbb4f23884e063f10ed61c39ce74ffd57a247be

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              b303bf6bfdc2b4e87660ac0468a40b8c

                                                                                                              SHA1

                                                                                                              1368ee96c498677df7e07b61e8d5b25fb6c2769d

                                                                                                              SHA256

                                                                                                              0ada73cb8615c8bb7d4d267a10140482ea4fa512c1fab8394d0abe63174af171

                                                                                                              SHA512

                                                                                                              c304407b824c78e4b4e71044065d7a4bfc8fa2424be351acb026ed776df7cd464848c984004e952447c9bfe7e89081adc873c3129ce935e6db6bad8009cdc928

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                              Filesize

                                                                                                              11KB

                                                                                                              MD5

                                                                                                              58f9daf761254e0e3203a7bc3e83c11c

                                                                                                              SHA1

                                                                                                              b9a76e65d8e5befc3a02c1f72f9cd3a8c6b913d6

                                                                                                              SHA256

                                                                                                              04fca90098f849dec9a1827b644a12f02414aa592241cdf37ee98d73cc722bf9

                                                                                                              SHA512

                                                                                                              8a3a1584f029d79507798923c96621be1dd475b802432d378b0d9af8ca47e5151e738a21129ad700430c79310d02b2805e11a08ae3ff1476d0729d5bd189428f

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\additional_file0.tmp
                                                                                                              Filesize

                                                                                                              2.5MB

                                                                                                              MD5

                                                                                                              20d293b9bf23403179ca48086ba88867

                                                                                                              SHA1

                                                                                                              dedf311108f607a387d486d812514a2defbd1b9e

                                                                                                              SHA256

                                                                                                              fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                                                                                                              SHA512

                                                                                                              5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\opera_package
                                                                                                              Filesize

                                                                                                              103.9MB

                                                                                                              MD5

                                                                                                              401c352990789be2f40fe8f9c5c7a5ac

                                                                                                              SHA1

                                                                                                              d7c1e902487511d3f4e1a57abdee8a94d5483ed4

                                                                                                              SHA256

                                                                                                              f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3

                                                                                                              SHA512

                                                                                                              efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                              Filesize

                                                                                                              1.8MB

                                                                                                              MD5

                                                                                                              8cef71906c123049c0e3a0ebd9f420e3

                                                                                                              SHA1

                                                                                                              60f4c13bc04c536f56b6fcb82fca6ebd556084d6

                                                                                                              SHA256

                                                                                                              5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71

                                                                                                              SHA512

                                                                                                              6561c864d6c684e394160bcec82c36a12a8dc87070f224eae28d08ec92ceff29dedf84cc9307d7f1ccc035ffe4339fb67285e0756b72426658d70710031eacff

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe
                                                                                                              Filesize

                                                                                                              3.1MB

                                                                                                              MD5

                                                                                                              346ddba47f6fabef752b2d9633cf5ca3

                                                                                                              SHA1

                                                                                                              b338ea2be5012a72e0681c097feae15c785dafd0

                                                                                                              SHA256

                                                                                                              bfdb396a094d7457e243379fd31c3de59a4f00c315f7e8fb6263f7babd12f906

                                                                                                              SHA512

                                                                                                              fb51a1223aa77ddb989cfd4195bde63f5ac1d8a3959f68301fa2ab66cd6552f63735a8d165d0944f5a7cc5b024e96ad5af7b162481ea81ea0105f6e84cf3f7a8

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
                                                                                                              Filesize

                                                                                                              894KB

                                                                                                              MD5

                                                                                                              2f8912af892c160c1c24c9f38a60c1ab

                                                                                                              SHA1

                                                                                                              d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

                                                                                                              SHA256

                                                                                                              59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

                                                                                                              SHA512

                                                                                                              0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
                                                                                                              Filesize

                                                                                                              1.8MB

                                                                                                              MD5

                                                                                                              70cc66ea2a3de44e1e0b7e6d6954569a

                                                                                                              SHA1

                                                                                                              4468a51f760ff319172c111cce7b54d1ff93efa9

                                                                                                              SHA256

                                                                                                              d85047b22c62c35cfac371778dd92db8ac907be315160f34cfb03f00830e703f

                                                                                                              SHA512

                                                                                                              1a0f646d3387fb3b35792b9c1d72c33333968b3c3142543c90093f3400739e6bc73d62914807abf26ddd3b4410fe1c7cfd58cb925bd5e74aac8384959f342937

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
                                                                                                              Filesize

                                                                                                              1.7MB

                                                                                                              MD5

                                                                                                              85a15f080b09acace350ab30460c8996

                                                                                                              SHA1

                                                                                                              3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

                                                                                                              SHA256

                                                                                                              3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

                                                                                                              SHA512

                                                                                                              ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
                                                                                                              Filesize

                                                                                                              301KB

                                                                                                              MD5

                                                                                                              832eb4dc3ed8ceb9a1735bd0c7acaf1b

                                                                                                              SHA1

                                                                                                              b622a406927fbb8f6cd5081bd4455fb831948fca

                                                                                                              SHA256

                                                                                                              2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

                                                                                                              SHA512

                                                                                                              3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
                                                                                                              Filesize

                                                                                                              499KB

                                                                                                              MD5

                                                                                                              83d0b41c7a3a0d29a268b49a313c5de5

                                                                                                              SHA1

                                                                                                              46f3251c771b67b40b1f3268caef8046174909a5

                                                                                                              SHA256

                                                                                                              09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

                                                                                                              SHA512

                                                                                                              705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
                                                                                                              Filesize

                                                                                                              418KB

                                                                                                              MD5

                                                                                                              0099a99f5ffb3c3ae78af0084136fab3

                                                                                                              SHA1

                                                                                                              0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                                                              SHA256

                                                                                                              919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                                                              SHA512

                                                                                                              5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
                                                                                                              Filesize

                                                                                                              2.8MB

                                                                                                              MD5

                                                                                                              1e1152424d7721a51a154a725fe2465e

                                                                                                              SHA1

                                                                                                              62bc3d11e915e1dbd3cc3ef5a11afec755c995d9

                                                                                                              SHA256

                                                                                                              674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c

                                                                                                              SHA512

                                                                                                              752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
                                                                                                              Filesize

                                                                                                              464KB

                                                                                                              MD5

                                                                                                              c084d6f6ba40534fbfc5a64b21ef99ab

                                                                                                              SHA1

                                                                                                              0b4a17da83c0a8abbc8fab321931d5447b32b720

                                                                                                              SHA256

                                                                                                              afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

                                                                                                              SHA512

                                                                                                              a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
                                                                                                              Filesize

                                                                                                              386KB

                                                                                                              MD5

                                                                                                              16f67f1a6e10f044bc15abe8c71b3bd6

                                                                                                              SHA1

                                                                                                              ce0101205b919899a2a2f577100377c2a6546171

                                                                                                              SHA256

                                                                                                              41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89

                                                                                                              SHA512

                                                                                                              a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip
                                                                                                              Filesize

                                                                                                              192KB

                                                                                                              MD5

                                                                                                              5f81e608051da6a40f979c02d22c4f82

                                                                                                              SHA1

                                                                                                              d8e54e70718eb2971d0f3e7ec7523579b343ac67

                                                                                                              SHA256

                                                                                                              fbede004ee49f50369646e772a336abbe646fb663c25102c594af7ac7c372485

                                                                                                              SHA512

                                                                                                              ffae5b3c6be707d7f4beadb805fa5cece90cf53cac0f9df0275381d4e7b1fdda963a432feb378037a396ad61bbfd56b177d62fff64307dc3cffd2a2b235e6a58

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291204366723176.dll
                                                                                                              Filesize

                                                                                                              4.6MB

                                                                                                              MD5

                                                                                                              117176ddeaf70e57d1747704942549e4

                                                                                                              SHA1

                                                                                                              75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b

                                                                                                              SHA256

                                                                                                              3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af

                                                                                                              SHA512

                                                                                                              ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Tmp5F03.tmp
                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              1420d30f964eac2c85b2ccfe968eebce

                                                                                                              SHA1

                                                                                                              bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                              SHA256

                                                                                                              f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                              SHA512

                                                                                                              6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\_Files_\WriteUninstall.txt
                                                                                                              Filesize

                                                                                                              192KB

                                                                                                              MD5

                                                                                                              10eb90dbd53a7a1dd436e3b9383b1735

                                                                                                              SHA1

                                                                                                              24d358c136b161fbb69d88814edc5db64932c18c

                                                                                                              SHA256

                                                                                                              db6c1f4cde04ea6b438e9ffa3882ce95ea6d723f7bdd723e836061f20e83b074

                                                                                                              SHA512

                                                                                                              0bd7c7bb45c5339afe238732758b28e169b42dcdda5006ffc25c5015fc81aee5386715704a73b671ed3ed4fa3707f404c47a05936f55b9757f263a35af5ddc54

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2z5d3uee.gzd.ps1
                                                                                                              Filesize

                                                                                                              60B

                                                                                                              MD5

                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                              SHA1

                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                              SHA256

                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                              SHA512

                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              3c1175890ac76f1cefcf369ce5e6897f

                                                                                                              SHA1

                                                                                                              a1ea4db1592478f2366212c3e4be47f4daa316fe

                                                                                                              SHA256

                                                                                                              6fd05799fb1818ffaab897655db73a38256b4f1255d3e2d343fe150ee19d39a8

                                                                                                              SHA512

                                                                                                              3e0d4974b969c21b525cbc679d495ffb2b07fc177dd8c21a08554a13aa7dad5a87b491c29aff40e9b85200b6fa597100410fee4e5efe82a8331a470dbfb17632

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                              Filesize

                                                                                                              3KB

                                                                                                              MD5

                                                                                                              f2ead1d88de02796782a32da68ef5005

                                                                                                              SHA1

                                                                                                              3536a03ce0e44271f2546c1a3594270a2b9a9218

                                                                                                              SHA256

                                                                                                              7446a71b75d7d672c080fd1f6e684111f7bb9922c88541a8f6811da6d9e20ce0

                                                                                                              SHA512

                                                                                                              aa93307b130af349d6713f79502427b25b70b26d490fc797dff7182a8cc49ed9526c4728fc7533cfc64a1b282a07f8945c0dee5df0778ee4125b19134bc2d079

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp8412.tmp
                                                                                                              Filesize

                                                                                                              46KB

                                                                                                              MD5

                                                                                                              02d2c46697e3714e49f46b680b9a6b83

                                                                                                              SHA1

                                                                                                              84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                                                                              SHA256

                                                                                                              522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                                                                              SHA512

                                                                                                              60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp851F.tmp
                                                                                                              Filesize

                                                                                                              46KB

                                                                                                              MD5

                                                                                                              14ccc9293153deacbb9a20ee8f6ff1b7

                                                                                                              SHA1

                                                                                                              46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

                                                                                                              SHA256

                                                                                                              3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

                                                                                                              SHA512

                                                                                                              916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp8551.tmp
                                                                                                              Filesize

                                                                                                              112KB

                                                                                                              MD5

                                                                                                              87210e9e528a4ddb09c6b671937c79c6

                                                                                                              SHA1

                                                                                                              3c75314714619f5b55e25769e0985d497f0062f2

                                                                                                              SHA256

                                                                                                              eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

                                                                                                              SHA512

                                                                                                              f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe
                                                                                                              Filesize

                                                                                                              233KB

                                                                                                              MD5

                                                                                                              87188a05666ced303bb17f04ec29042f

                                                                                                              SHA1

                                                                                                              651ae4e7b98655fd4dd2de62b0111dacac47cd9e

                                                                                                              SHA256

                                                                                                              97332596f72bc538f176fddac06e1c2ba40922ee87329d8be32d7ac80127de97

                                                                                                              SHA512

                                                                                                              14301c8b8641e5e19203abfcc17755ccefe2b551c3e6ff235b21ccb17e4ee977a060ed7ee7268c446d86191f271bddcb8a59d22e61e1cf9ff7a46d0ee09dbb99

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe
                                                                                                              Filesize

                                                                                                              4.6MB

                                                                                                              MD5

                                                                                                              397926927bca55be4a77839b1c44de6e

                                                                                                              SHA1

                                                                                                              e10f3434ef3021c399dbba047832f02b3c898dbd

                                                                                                              SHA256

                                                                                                              4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

                                                                                                              SHA512

                                                                                                              cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                                                                                                              Filesize

                                                                                                              109KB

                                                                                                              MD5

                                                                                                              2afdbe3b99a4736083066a13e4b5d11a

                                                                                                              SHA1

                                                                                                              4d4856cf02b3123ac16e63d4a448cdbcb1633546

                                                                                                              SHA256

                                                                                                              8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                                                                                                              SHA512

                                                                                                              d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                                                                                                              Filesize

                                                                                                              1.2MB

                                                                                                              MD5

                                                                                                              92fbdfccf6a63acef2743631d16652a7

                                                                                                              SHA1

                                                                                                              971968b1378dd89d59d7f84bf92f16fc68664506

                                                                                                              SHA256

                                                                                                              b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                                                                                                              SHA512

                                                                                                              b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
                                                                                                              Filesize

                                                                                                              109KB

                                                                                                              MD5

                                                                                                              726cd06231883a159ec1ce28dd538699

                                                                                                              SHA1

                                                                                                              404897e6a133d255ad5a9c26ac6414d7134285a2

                                                                                                              SHA256

                                                                                                              12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

                                                                                                              SHA512

                                                                                                              9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                                                                                                              Filesize

                                                                                                              1.2MB

                                                                                                              MD5

                                                                                                              15a42d3e4579da615a384c717ab2109b

                                                                                                              SHA1

                                                                                                              22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

                                                                                                              SHA256

                                                                                                              3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

                                                                                                              SHA512

                                                                                                              1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
                                                                                                              Filesize

                                                                                                              541KB

                                                                                                              MD5

                                                                                                              1fc4b9014855e9238a361046cfbf6d66

                                                                                                              SHA1

                                                                                                              c17f18c8246026c9979ab595392a14fe65cc5e9f

                                                                                                              SHA256

                                                                                                              f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

                                                                                                              SHA512

                                                                                                              2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
                                                                                                              Filesize

                                                                                                              304KB

                                                                                                              MD5

                                                                                                              cc90e3326d7b20a33f8037b9aab238e4

                                                                                                              SHA1

                                                                                                              236d173a6ac462d85de4e866439634db3b9eeba3

                                                                                                              SHA256

                                                                                                              bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

                                                                                                              SHA512

                                                                                                              b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe
                                                                                                              Filesize

                                                                                                              378KB

                                                                                                              MD5

                                                                                                              a05eb8eeeb2ec539e4f54ac435ba86bc

                                                                                                              SHA1

                                                                                                              72ed93362d4c17434981cf5fd0e3888c44587dfb

                                                                                                              SHA256

                                                                                                              e57e37490a710106cb78deba4b189fc867b994d4ade9f040dc5486665f549708

                                                                                                              SHA512

                                                                                                              69456e5c0f237820642c8790746866979db14c40099287b6b3409b305a314cafccbe2a443812824096cd5a9dac9a1e6710a8154479cb050a6aa17d3054143201

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
                                                                                                              Filesize

                                                                                                              5.1MB

                                                                                                              MD5

                                                                                                              cc0a37140d9f3fbbe28272c2cfb336af

                                                                                                              SHA1

                                                                                                              5a9e7251e38a5bd5f1c2cbf6a2c75b24f76254fa

                                                                                                              SHA256

                                                                                                              3aab7652a97a91a0a606567afc9e093c48fd636dfd4e1e36442c6d82ef1e704b

                                                                                                              SHA512

                                                                                                              9e0cdcc05a47bc37417a9b62219b962b61be818848c5cf71b4549905d0a5996532cd14db147c998bc0e56e727e03ac65e0d4535659b927ca2aeb0efa6b7d7d1c

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\GRXoECQKxJbxNqKOr4vjCjCK.exe
                                                                                                              Filesize

                                                                                                              3KB

                                                                                                              MD5

                                                                                                              b508ece0341fdcfe871f46c320f0e568

                                                                                                              SHA1

                                                                                                              bd9b34e65c6c1c8ccf53c43c3612940b85ae324b

                                                                                                              SHA256

                                                                                                              4dc81a270c853848f4de827007cf5f0d4d2858bb78400b0c25d2a20db4c42651

                                                                                                              SHA512

                                                                                                              ae491faa60f3a51500e278da3f812a4ba71245b73974205e71473d7c7e6fff8f9890fe4bcefdd79a1cf1bf48c22735ace824864af518daa81ccb0b74c8e837dc

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\HG3hwFlFgpo4DcpBtpS2sIws.exe
                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              5b423612b36cde7f2745455c5dd82577

                                                                                                              SHA1

                                                                                                              0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                                                                              SHA256

                                                                                                              e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                                                                              SHA512

                                                                                                              c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe
                                                                                                              Filesize

                                                                                                              4.1MB

                                                                                                              MD5

                                                                                                              98273a3121a2516cda6f31e67ec2d52f

                                                                                                              SHA1

                                                                                                              01c6990adecce2b1e4794429f478fc3f63baaf83

                                                                                                              SHA256

                                                                                                              1c65e140170310153ba3929cdedecf221ae57e55c79b97fa1a4601f4d97ee988

                                                                                                              SHA512

                                                                                                              c633c87af70740d7d147a62ea91cd7fe8764b816fe7b2a076955d6a35474dd745a2c5d05f39efd32b204e59845914d2e4d571d2440f78bbc6d2ab71491343118

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe
                                                                                                              Filesize

                                                                                                              4.3MB

                                                                                                              MD5

                                                                                                              858bb0a3b4fa6a54586402e3ee117076

                                                                                                              SHA1

                                                                                                              997c31f043347883ea5ed2323a558b6cc5ea9c8e

                                                                                                              SHA256

                                                                                                              d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35

                                                                                                              SHA512

                                                                                                              e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe
                                                                                                              Filesize

                                                                                                              437KB

                                                                                                              MD5

                                                                                                              7960d8afbbac06f216cceeb1531093bb

                                                                                                              SHA1

                                                                                                              008221bf66a0749447cffcb86f2d1ec80e23fc76

                                                                                                              SHA256

                                                                                                              f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84

                                                                                                              SHA512

                                                                                                              35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

                                                                                                              Download Submit
                                                                                                            • C:\Users\Admin\Pictures\zb1MI8XA7oVtC7SdlSRkuPkB.exe
                                                                                                              Filesize

                                                                                                              3KB

                                                                                                              MD5

                                                                                                              4ec1e99d3e9e4e5fcc0a346be8589f80

                                                                                                              SHA1

                                                                                                              aaca4178e744116de5e5c3b989f54851d1acd8ba

                                                                                                              SHA256

                                                                                                              5ee377ba52e67430f0d0f486869d76e0b12a68831c598b502b720c1bfb09965c

                                                                                                              SHA512

                                                                                                              8041896b4a2531e7db0714a3477f61bc9383b5595b01183c0cf478d3f75a85f818c9ec6f2dc0e303cec034ce5096af4cba9c64247f439c16c7a4f3b4cabeb749

                                                                                                              Download Submit
                                                                                                            • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                              Filesize

                                                                                                              127B

                                                                                                              MD5

                                                                                                              8ef9853d1881c5fe4d681bfb31282a01

                                                                                                              SHA1

                                                                                                              a05609065520e4b4e553784c566430ad9736f19f

                                                                                                              SHA256

                                                                                                              9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                              SHA512

                                                                                                              5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                              Download Submit
                                                                                                            • \??\pipe\LOCAL\crashpad_1484_EGBEDJGEJCPFJUGD
                                                                                                              MD5

                                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                                              SHA1

                                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                              SHA256

                                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                              SHA512

                                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                              Download Submit
                                                                                                            • memory/232-365-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-364-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-53-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-52-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-428-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-691-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-403-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-503-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/232-430-0x00000000005E0000-0x00000000009AC000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/652-23-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-27-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-25-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-429-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-24-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-431-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-26-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-811-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-418-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-339-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-28-0x0000000004F00000-0x0000000004F01000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-30-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-31-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-596-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-29-0x0000000004E90000-0x0000000004E91000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-253-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-392-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/652-32-0x0000000004F20000-0x0000000004F21000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/652-33-0x0000000004F10000-0x0000000004F11000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-9-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-6-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-1-0x0000000077B46000-0x0000000077B48000-memory.dmp
                                                                                                              Filesize

                                                                                                              8KB

                                                                                                              Download
                                                                                                            • memory/1736-2-0x0000000000E00000-0x00000000012C0000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/1736-7-0x0000000004C60000-0x0000000004C61000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-21-0x0000000000E00000-0x00000000012C0000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/1736-10-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-3-0x0000000004C90000-0x0000000004C91000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-5-0x0000000004C80000-0x0000000004C81000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-8-0x0000000004C70000-0x0000000004C71000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/1736-0-0x0000000000E00000-0x00000000012C0000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/2580-346-0x0000023EAA4F0000-0x0000023EAA512000-memory.dmp
                                                                                                              Filesize

                                                                                                              136KB

                                                                                                              Download
                                                                                                            • memory/2580-357-0x0000023EAA750000-0x0000023EAA75A000-memory.dmp
                                                                                                              Filesize

                                                                                                              40KB

                                                                                                              Download
                                                                                                            • memory/2580-356-0x0000023EAA860000-0x0000023EAA872000-memory.dmp
                                                                                                              Filesize

                                                                                                              72KB

                                                                                                              Download
                                                                                                            • memory/2580-351-0x0000023E92400000-0x0000023E92410000-memory.dmp
                                                                                                              Filesize

                                                                                                              64KB

                                                                                                              Download
                                                                                                            • memory/2580-347-0x0000023E92400000-0x0000023E92410000-memory.dmp
                                                                                                              Filesize

                                                                                                              64KB

                                                                                                              Download
                                                                                                            • memory/2580-362-0x00007FFE6B6F0000-0x00007FFE6C1B2000-memory.dmp
                                                                                                              Filesize

                                                                                                              10.8MB

                                                                                                              Download
                                                                                                            • memory/2580-340-0x00007FFE6B6F0000-0x00007FFE6C1B2000-memory.dmp
                                                                                                              Filesize

                                                                                                              10.8MB

                                                                                                              Download
                                                                                                            • memory/4988-483-0x0000000000780000-0x0000000000B4C000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/4988-482-0x0000000000780000-0x0000000000B4C000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/4988-692-0x0000000000780000-0x0000000000B4C000-memory.dmp
                                                                                                              Filesize

                                                                                                              3.8MB

                                                                                                              Download
                                                                                                            • memory/5140-628-0x0000000000B90000-0x0000000001050000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/5300-447-0x00000000054F0000-0x00000000054F1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-451-0x00000000054C0000-0x00000000054C1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-460-0x0000000005550000-0x0000000005551000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-448-0x0000000005500000-0x0000000005501000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-461-0x0000000005540000-0x0000000005541000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-626-0x00000000005B0000-0x0000000000A5F000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.7MB

                                                                                                              Download
                                                                                                            • memory/5300-449-0x00000000054E0000-0x00000000054E1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-443-0x00000000005B0000-0x0000000000A5F000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.7MB

                                                                                                              Download
                                                                                                            • memory/5300-450-0x0000000005520000-0x0000000005521000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5300-446-0x00000000005B0000-0x0000000000A5F000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.7MB

                                                                                                              Download
                                                                                                            • memory/5300-452-0x00000000054D0000-0x00000000054D1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5396-454-0x0000000005370000-0x0000000005371000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5396-453-0x0000000005360000-0x0000000005361000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5396-456-0x0000000005390000-0x0000000005391000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5396-455-0x0000000005350000-0x0000000005351000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5396-462-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/5396-445-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/5396-458-0x0000000005340000-0x0000000005341000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5396-459-0x0000000000980000-0x0000000000E40000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.8MB

                                                                                                              Download
                                                                                                            • memory/5396-457-0x0000000005330000-0x0000000005331000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-261-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-308-0x0000000004B70000-0x0000000004B71000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-257-0x0000000000EF0000-0x000000000139F000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.7MB

                                                                                                              Download
                                                                                                            • memory/5496-258-0x0000000004B00000-0x0000000004B01000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-259-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-263-0x0000000004B30000-0x0000000004B31000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-264-0x0000000000EF0000-0x000000000139F000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.7MB

                                                                                                              Download
                                                                                                            • memory/5496-262-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-260-0x0000000004B50000-0x0000000004B51000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5496-313-0x0000000000EF0000-0x000000000139F000-memory.dmp
                                                                                                              Filesize

                                                                                                              4.7MB

                                                                                                              Download
                                                                                                            • memory/5496-309-0x0000000004B60000-0x0000000004B61000-memory.dmp
                                                                                                              Filesize

                                                                                                              4KB

                                                                                                              Download
                                                                                                            • memory/5628-825-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-874-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-836-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-834-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-830-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-828-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-840-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-822-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-820-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-818-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-816-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-814-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-813-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-851-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-838-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-882-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-880-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-878-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-876-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-884-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-872-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-869-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5628-861-0x0000000005790000-0x00000000059A6000-memory.dmp
                                                                                                              Filesize

                                                                                                              2.1MB

                                                                                                              Download
                                                                                                            • memory/5828-504-0x0000000000E60000-0x000000000101C000-memory.dmp
                                                                                                              Filesize

                                                                                                              1.7MB

                                                                                                              Download
                                                                                                            • memory/5940-518-0x0000000000400000-0x0000000000592000-memory.dmp
                                                                                                              Filesize

                                                                                                              1.6MB

                                                                                                              Download