amadey | 87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
Size

1.8MB
MD5

5d09d77fa64cc1422dc52ea1e6255242
SHA1

3590074f02b0c2ba8f2cc9c67a16ff7eecac0552
SHA256

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c
SHA512

831938948059b1b9275a553f5a5cf7c93540ec92fc205de1ee46162b191c6ed69bf050da756f334379437f09544e9c1db5268f93c5e8bab2ef88679b4844bb35
SSDEEP

49152:u/Le/T16hUald7ha88QtyZ0SsA/UD4FmXEUGNSBxW2e9XSXU:u/cTIl488Qtu0SsAsD4UL1OXSXU

Score

10^/10

amadey glupteba redline risepro zgrat @oleh_psp jok123 livetraffic dropper evasion infostealer loader rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

Jok123

185.215.113.67:26260

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_zgrat_v1
behavioral1/memory/4436-89-0x0000000000570000-0x00000000005F2000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe	family_zgrat_v1
behavioral1/memory/4712-154-0x0000000000370000-0x00000000003EA000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5428-641-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5524-655-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5320-675-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5320-763-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5428-774-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5524-804-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe	family_redline
behavioral1/memory/4232-65-0x0000000000410000-0x0000000000460000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline
behavioral1/memory/4436-89-0x0000000000570000-0x00000000005F2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
behavioral1/memory/3336-156-0x00000000009C0000-0x0000000000A12000-memory.dmp	family_redline
behavioral1/memory/4508-171-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/4464-203-0x0000000000280000-0x000000000030C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorgu.exe87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 4 IoCs

Processes:

explorgu.exealex1234.exeredlinepanel.exe32456.exe

pid process

720 explorgu.exe
2264 alex1234.exe
4232 redlinepanel.exe
4436 32456.exe

pid	process
720	explorgu.exe
2264	alex1234.exe
4232	redlinepanel.exe
4436	32456.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorgu.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe	themida
behavioral1/memory/5912-657-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp	themida
behavioral1/memory/5912-695-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp	themida
behavioral1/memory/5912-733-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp	themida
behavioral1/memory/5912-743-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp	themida
behavioral1/memory/5912-758-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp	themida
behavioral1/memory/5912-772-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

59 pastebin.com
60 pastebin.com
174 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

167 api.myip.com
169 api.myip.com
176 ipinfo.io
177 ipinfo.io

flow	ioc
59	pastebin.com
60	pastebin.com
174	pastebin.com

flow	ioc
167	api.myip.com
169	api.myip.com
176	ipinfo.io
177	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exeexplorgu.exe

pid process

2864 87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
720 explorgu.exe
Drops file in Windows directory 1 IoCs

Processes:

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3956	1656	WerFault.exe	swiiiii.exe
2272	2184	WerFault.exe	koooooo.exe
6712	5872	WerFault.exe	lwq7kncrC3D95UBJYyqKLP19.exe
6864	5144	WerFault.exe	T2zwe9E00J1Ukjv7VpEwlltI.exe
5676	6420	WerFault.exe	RegAsm.exe
6508	6420	WerFault.exe	RegAsm.exe
3732	6788	WerFault.exe	lO5loEzGId6kD5lbP2nRQl8w.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3752 schtasks.exe
5924 schtasks.exe
3392 schtasks.exe

pid	process
3752	schtasks.exe
5924	schtasks.exe
3392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exeexplorgu.exe

pid	process
2864	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
2864	87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
720	explorgu.exe
720	explorgu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

32456.exe

description pid process

Token: SeDebugPrivilege 4436 32456.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe

pid process

2864 87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe

description	pid	process
Token: SeDebugPrivilege	4436	32456.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

explorgu.exe

description	pid	process	target process
PID 720 wrote to memory of 2264	720	explorgu.exe	alex1234.exe
PID 720 wrote to memory of 2264	720	explorgu.exe	alex1234.exe
PID 720 wrote to memory of 2264	720	explorgu.exe	alex1234.exe
PID 720 wrote to memory of 4232	720	explorgu.exe	redlinepanel.exe
PID 720 wrote to memory of 4232	720	explorgu.exe	redlinepanel.exe
PID 720 wrote to memory of 4232	720	explorgu.exe	redlinepanel.exe
PID 720 wrote to memory of 4436	720	explorgu.exe	32456.exe
PID 720 wrote to memory of 4436	720	explorgu.exe	32456.exe

C:\Users\Admin\AppData\Local\Temp\87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe
"C:\Users\Admin\AppData\Local\Temp\87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2864

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:720
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  - Executes dropped EXE
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3604
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:4464
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:3336
- C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
  "C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
  "C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
  2⤵
  PID:4712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3392
- - C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe
    "C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe"
    3⤵
    PID:2356
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
      4⤵
      PID:3944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      PID:4532
    - - C:\Users\Admin\Pictures\T2zwe9E00J1Ukjv7VpEwlltI.exe
        
        "C:\Users\Admin\Pictures\T2zwe9E00J1Ukjv7VpEwlltI.exe"
        5⤵
        
        PID:5144
      - C:\Users\Admin\AppData\Local\Temp\u3yw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3yw.0.exe"
        6⤵
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\u3yw.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3yw.1.exe"
        6⤵
        
        PID:6612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 1444
        6⤵
        Program crash
        
        PID:6864
    - - C:\Users\Admin\Pictures\PMfuf8WfqJ2q8IY4CZ6PhbWy.exe
        
        "C:\Users\Admin\Pictures\PMfuf8WfqJ2q8IY4CZ6PhbWy.exe"
        5⤵
        
        PID:5320
    - - C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe
        
        "C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe"
        5⤵
        
        PID:5428
    - - C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe
        
        "C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe"
        5⤵
        
        PID:5524
    - - C:\Users\Admin\Pictures\lwq7kncrC3D95UBJYyqKLP19.exe
        
        "C:\Users\Admin\Pictures\lwq7kncrC3D95UBJYyqKLP19.exe"
        5⤵
        
        PID:5872
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 616
        7⤵
        Program crash
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 588
        7⤵
        Program crash
        
        PID:6508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 852
        6⤵
        Program crash
        
        PID:6712
    - - C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe
        
        "C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe"
        5⤵
        
        PID:5912
    - - C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe
        
        "C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe" --silent --allusers=0
        5⤵
        
        PID:3512
      - C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe
        
        C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x29c,0x2a0,0x2a4,0x298,0x2a8,0x6ac8e1d0,0x6ac8e1dc,0x6ac8e1e8
        6⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\a9oYDmB2oTo4g4O2IF6jec99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\a9oYDmB2oTo4g4O2IF6jec99.exe" --version
        6⤵
        
        PID:6624
      - C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe
        
        "C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3512 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240401122952" --session-guid=efac9116-2995-4f2e-89aa-238cafcc532a --server-tracking-blob=ODg5MzI1NTJlNjM2NGMyODljMGM2MWY1NjUwOGRhMmIzZjcxMjIxYmUxNWQxYjM5NmJiZWI0NGUxYWM5OTY4MTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N18xMjMiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE5NzQ1NjkuMDIwNSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N18xMjMiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjU4NWZhNzEyLTliNjktNDg4Mi1iMzNhLTNjNTlhYjkzZmRjNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1404000000000000
        6⤵
        
        PID:6512
        
        C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe
        
        C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6a30e1d0,0x6a30e1dc,0x6a30e1e8
        7⤵
        
        PID:6456
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011229521\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011229521\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        6⤵
        
        PID:6508
    - - C:\Users\Admin\Pictures\yC9HIRXw85QxCbiA4yHRLr0L.exe
        
        "C:\Users\Admin\Pictures\yC9HIRXw85QxCbiA4yHRLr0L.exe"
        5⤵
        
        PID:6356
      - C:\Users\Admin\AppData\Local\Temp\7zSD414.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\7zSEEFF.tmp\Install.exe
        
        .\Install.exe /PlndidlazL "385118" /S
        7⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gOczFQYNW" /SC once /ST 11:21:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:3752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gOczFQYNW"
        8⤵
        
        PID:6676
    - - C:\Users\Admin\Pictures\9ZAVFrDoQb7FDNPNFFQJx7Q4.exe
        
        "C:\Users\Admin\Pictures\9ZAVFrDoQb7FDNPNFFQJx7Q4.exe"
        5⤵
        
        PID:6440
      - C:\Users\Admin\AppData\Local\Temp\7zSDB09.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\7zSEC3F.tmp\Install.exe
        
        .\Install.exe /PlndidlazL "385118" /S
        7⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:6912
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:3160
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:184
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gnqfOsvDa" /SC once /ST 02:23:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:5924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gnqfOsvDa"
        8⤵
        
        PID:3976
- C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
  2⤵
  PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 868
    3⤵
    - Program crash
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe
  "C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe"
  2⤵
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 852
    3⤵
    - Program crash
    PID:2272
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:2840
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:3844
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:1928
- C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe
  "C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe"
  2⤵
  PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
    3⤵
    PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83ad846f8,0x7ff83ad84708,0x7ff83ad84718
      4⤵
      PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
    3⤵
    PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83ad846f8,0x7ff83ad84708,0x7ff83ad84718
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:5252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:5284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:5808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
      4⤵
      PID:6148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
      4⤵
      PID:6968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      PID:6832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
      4⤵
      PID:6552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
      4⤵
      PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
      4⤵
      PID:3640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
      4⤵
      PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10571331969062855686,7099234769191869243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
      4⤵
      PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83ad846f8,0x7ff83ad84708,0x7ff83ad84718
      4⤵
      PID:2704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1452,1341132950221824029,4805561714206308598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,1341132950221824029,4805561714206308598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      PID:5744
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:5388
- C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe"
  2⤵
  PID:5880
- C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
  2⤵
  PID:6604
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:5272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:6860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:6892
  - - C:\Users\Admin\Pictures\rAGdv7SihthUwn90cgJjQstW.exe
      "C:\Users\Admin\Pictures\rAGdv7SihthUwn90cgJjQstW.exe"
      4⤵
      PID:6572
    - - C:\Users\Admin\AppData\Local\Temp\u52k.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u52k.0.exe"
        5⤵
        
        PID:3692
  - - C:\Users\Admin\Pictures\jFqKTeg1VAhNBTj1lQBI1IjF.exe
      "C:\Users\Admin\Pictures\jFqKTeg1VAhNBTj1lQBI1IjF.exe"
      4⤵
      PID:7080
  - - C:\Users\Admin\Pictures\lO5loEzGId6kD5lbP2nRQl8w.exe
      "C:\Users\Admin\Pictures\lO5loEzGId6kD5lbP2nRQl8w.exe"
      4⤵
      PID:6788
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:6424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 868
        5⤵
        Program crash
        
        PID:3732
  - - C:\Users\Admin\Pictures\FLgMroTV4hVaEG6V5hLvbS65.exe
      "C:\Users\Admin\Pictures\FLgMroTV4hVaEG6V5hLvbS65.exe"
      4⤵
      PID:7140
  - - C:\Users\Admin\Pictures\Pj6Ms8aJo793qvfM3PWjWVBv.exe
      "C:\Users\Admin\Pictures\Pj6Ms8aJo793qvfM3PWjWVBv.exe"
      4⤵
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\7zSBB09.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:3944
  - - C:\Users\Admin\Pictures\KGZMCasnc4SAKN6cNr1pWCVX.exe
      "C:\Users\Admin\Pictures\KGZMCasnc4SAKN6cNr1pWCVX.exe"
      4⤵
      PID:6756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2184 -ip 2184
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1656 -ip 1656
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5872 -ip 5872
1⤵
PID:6428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5144 -ip 5144
1⤵
PID:6768

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6420 -ip 6420
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6420 -ip 6420
1⤵
PID:6032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6788 -ip 6788
1⤵
PID:6896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c807fea48fbc046e3ad7f32abaf74d6b

SHA1
77ae15eada0d2e96e4e91906a1057784b791dc38

SHA256
55c6e7c693bb2644803be6fec53ed633386924471be1cfc6b02cc0d9c411e409

SHA512
988d8a93871cdfa2c6d02af72441a8428c543e9635159f9a2c4e2d0f7ea8de15a7d495edc6828a3386ef5eb49cc22f21c8d7629a11abd5eb548413fadff2e606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08da2ab5bb7b1a9bae5281134655c2d3

SHA1
920c037e20a2f8c905dc599e037087b0465d1dc7

SHA256
1b767284cc82fb5bc1c6d5680c6aa444222083adc758f04df41247f5b3faf4ae

SHA512
f017978797fabee7e5cf142b9545c4d97790a833c1510a2f7b0503a6b65593d07616a7517819cc7435397d92c57788667858752b7e0d127b54d3756d8ac5becb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55dcbb0d7282c3f719b4f46b2a98f429

SHA1
27c9fa0a9698755f36f36de31da49c1ae290f98e

SHA256
128323ac75dc1abb925650038ac9e2578eef370da4f7e09e0dd0a0bf96e12a79

SHA512
79f355417847eb513b72ad367bda86c80aac3bced89b1d1d7666e372d61b565a2e97f8efc90289d996a3c5c06ba77edab7f8a0eb0d5118a3fa210a05ac65b47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
21e03af9cc43875b793911e321957b57

SHA1
4bb7f8482e5a10ffebf45a26527dddda80f38d28

SHA256
89b0078e8be1d5413e15c4ca9551df22425ef13093535af90500f9da8f3be0f2

SHA512
397bcdbb02e93932697c23a5f44e3923f5c4c3de3edec9d1403b9c2e49d5cfa77161c55ffcbaf4bcb65805d98c54c61635d2e81d4522e16098bd957dd009f508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5938ba.TMP

Filesize
204B

MD5
2a7600618d54e28bd83137da359b3733

SHA1
2e02e263eb72ab2d29e87906716fae09fae207f3

SHA256
ea28b11d318b3cc58576ce12fcbb41d5d84966b00de067da2eef4aef8261307b

SHA512
6c66b0ec08dd1c27c2f07aaefa2e50d5fa5a106776d79ac9e1039bb89662f709c50cfc18184e4e21b76f438730049b7060d7668627498daadb4646770ccea1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be2427dce10e47985f4e687ce080bdc7

SHA1
eea52e88a6f56999ec47c61ee6d5374f49e4690f

SHA256
77458cb4c9b401d4a5f57aa28677d7ddd200ee19612e48905797423c4b5162af

SHA512
08c4f813ecd1917e5d32b71008a14f67b8726fdc48cdbb4fcb43d10bbb3208233f1cfcb0f7c7edee726c9f35cd481b678ce63283a20abcc8b8444ec5fdc91406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
29fd5096d140538825318bb894c00d78

SHA1
f6d761d543da1bd60fe569216b4c97b144aba82b

SHA256
aca3098e25ef6e416381521e53a7ccc4702621e9d4371c7a34ec3041dfc28f75

SHA512
abdd2e20a9b9c2faec6e79d0c6e859e9c9d92abf98133bcde6eb74fdc01024d5fe4344b7c479616bba083dd16bd134118481cc97e0a0c77fb8c1e6df9cb00856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bef0eafc695da5e7764cb47de9de56d5

SHA1
3cc52ca557c2a7db92dde3155ccf3710800440a1

SHA256
5cd654dd24b99679c7fe14a0f6ed347e369d7556b15bffb58c27133f0d5a6201

SHA512
06c3054f555fa39a5be6a8980c572e3e71b2d32171cd15e761f04bd0db20f9df912b4c5b1d802772f478e2d1cda165fddba8ec95d420b89e6f7fee49789309b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011229521\additional_file0.tmp

Filesize
704KB

MD5
9fdabb58fdba5585003df8c055a8b41b

SHA1
90f48dbd6feb333ba993e8b47d804c604210b382

SHA256
e97b41fe9ff7534fd1d43a807111aef70eb5d988ecc5acb4ce23b6ef8ce533ef

SHA512
bf4a5616fa2f243a91b380fe92fc439f7bb43f34be12566becddf6d613da06080b4622e4c09c4037de9ded3f3f332755d02ba8e710d8048479897c37a749ce66

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011229521\opera_package

Filesize
9.3MB

MD5
993880612e78e3a56a42c8bf70fe8aba

SHA1
bf0953882996b0e3c2457e5d3db0b912157c8ba9

SHA256
ffa774679f5e62f1f4a3d19803337ad030ae9d777af891f80aea1aebca61478d

SHA512
06737a050f0112832460e6a05bc41f4129496216525ecc8e0b7240bd32f88786b68df4e5a675e430235adfe9723b44938c8eaea5f0744b9b95d68bc8bcb5d907

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
5d09d77fa64cc1422dc52ea1e6255242

SHA1
3590074f02b0c2ba8f2cc9c67a16ff7eecac0552

SHA256
87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c

SHA512
831938948059b1b9275a553f5a5cf7c93540ec92fc205de1ee46162b191c6ed69bf050da756f334379437f09544e9c1db5268f93c5e8bab2ef88679b4844bb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe

Filesize
3.3MB

MD5
3dd254d7767f8ec787bec80eee20719c

SHA1
22c5768cea8262c56dc84978298f98c384a6dd4b

SHA256
c468bab0437d8a624e0ce7feaf49efb95a124eec79fe9bd45ad7840334528743

SHA512
1bfdb64ca224231f85623b01138081e9c0bb92fbf037625cfbde307a3cdbe3d213476a5e603f572728f4a05767bb106683bb621110497db69b8cca4bf7aa01d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe

Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe

Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001082001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe

Filesize
3.0MB

MD5
b3988b126acf5f6b0e019e2363130d54

SHA1
344b1642fc3c7ad1a00a722009090f8ef4d4c476

SHA256
84b2b67a779ffc313f3f704f813b0cb74637bcb0052234a2d9af0cb02e47675e

SHA512
1f7690061575f7f437f6405963f2389bd9a030e9167f5b30a371242db565326163859e206f69522e18dea732c847b37d3e64e3ad8916b95115bd9febf63269d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe

Filesize
3.3MB

MD5
584b95fa5d21e178c978ed9171473514

SHA1
f3f67fd04f7539b73e6fcf3b941d279212fff907

SHA256
2a14c443a77b0333cc9646bc676e8c9bcd8789904f3e6b3b73ad8c604649bdb6

SHA512
47fe759e2908050bcb9314a9d4cb6a807ff201847bd898a8ff73c8e96f18dd8e7f39e5446e3fa4e73444ba15e4698a2764f3a98bc8ab8897279e25b388aab1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB09.tmp\__data__\config.txt

Filesize
969KB

MD5
d7c310d8ddc43bfebcf30e1028104c64

SHA1
bf67b4136a6c06f4fef6412f7316b2adaec7032f

SHA256
5339d07c6dba4417ddcb60aa4fdfa1f50cfa5cba2d927686ea80cfd62363d203

SHA512
631fc51a7139011b75c2639e78f3095db06ba86f791b480d9785085cc32106827375ba71e22cc82f7fcbd2b0fc38a9c055687fd40f9ec3f74edcdd9b88c3bdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEFF.tmp\Install.exe

Filesize
6.7MB

MD5
b119ea556def66eaa9f751a650b45af0

SHA1
daf3fa0325b110183d0a233b4b0d1875f0b49ca8

SHA256
53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4

SHA512
08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404011229338383512.dll

Filesize
4.6MB

MD5
117176ddeaf70e57d1747704942549e4

SHA1
75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b

SHA256
3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af

SHA512
ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp55FB.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjbp1vxw.iiq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E13.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7068.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7098.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3yw.0.exe

Filesize
269KB

MD5
fea6a69aaa533e491657d8a3ec57de80

SHA1
baf63f5853ab2a747a712a1e80bac9b56932b46c

SHA256
464070a4dee94d43448b3cbcead3ce9bc17cf507a3cf200626e408cc1f97db29

SHA512
979a66bbfe3da2429f61b8883cc7b14851e43cf1a160ce338727fcf6c6e2c9c1558fb6b1b65ce881cd2d383e1158234a3407f2de3347d0df45a772d4f9ba568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3yw.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-557049126-2506969350-2798870634-1000\76b53b3ec448f7ccdda2063b15d2bfc3_571594ad-b717-4cea-93ae-747ab327a92a

Filesize
2KB

MD5
2f26053e435aa59a377add22c73dcc27

SHA1
e68f944fd9b95bfd7325640ee094a3433a2b2639

SHA256
ed6d08979dda1c05d2e6193a21906c6ec31c7a0ebc4ac76e80b0252c415c483a

SHA512
0d99a2911662c507a915d3d992bffc5e3f2476f65cbeca31076af822734ba4c6a83668846f0f5498f0e1d62d223df73bfed9fa0d7a0b09d33e0131df8e422a74

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
38329c8178fefe041f8dd62f2b052347

SHA1
f0ace78718b7b1bde6b3b50285430a13b9399587

SHA256
88887af962aa6b40d1d646f484944388520457b6ac151e8b333a70eae49495e1

SHA512
ca34436a4af2387b32d0bbaa315eba2184af238428b57ec214ac0760eb297b5cb4b91ef5bb2d3e834d479b10a8541228ffb4cc51e8b3be21b034e5aedd8eabb6

Download Submit
C:\Users\Admin\Pictures\0tNvcV2ahA0IQg9NOgHHuJYr.exe

Filesize
1.2MB

MD5
8c91573a0bde2c5041e3cd832ca2a4f1

SHA1
90a7254adeae723864c64eefd57fa544f53009c6

SHA256
7098f231e0fd5957ccee41fbefde939e260fc396e9f23f4c5c94c37af5bd370a

SHA512
22073c4344ccf43bc1430f8a75c18e2f0a0c33da2e24af2641024207f24eaf20635ddbeccfb4fc09a8975212861ee23d15b2786100b24b32cbd871377f014369

Download Submit
C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe

Filesize
4.9MB

MD5
251bdf47313d0ea3d84100cf61f58401

SHA1
2c8438162ffeb03e62f50dec55fb4ec624d9543d

SHA256
4d1c496eb98e2a807584bd0958e0244784f9217de63dc36060cba7bfa04f280b

SHA512
a52f9965dbaa0c6ef53f0488efc6252b83a3d0d714a0533ae4e98f711a78b91263799a3d06203f53383c13f87e50135daa95f187d5f46e11c11e07e84312369a

Download Submit
C:\Users\Admin\Pictures\PMfuf8WfqJ2q8IY4CZ6PhbWy.exe

Filesize
4.2MB

MD5
ca664a7abe4c85deadfefe4d5d135291

SHA1
a588ddeb683f436d675cfc62294f9a42c244db7a

SHA256
7bfcfa657bc5fede839b943b4599ae06c42182cd067834af035bf339d5f73e85

SHA512
1f5ef020192b0bc7adb72965d7124a0d43471a876867d949afd136feeea5c3c100af4c70cfc3545efc22d86e3e3c76c0ea11ccb1427ea5a2305dd0b97ea673b1

Download Submit
C:\Users\Admin\Pictures\T2zwe9E00J1Ukjv7VpEwlltI.exe

Filesize
410KB

MD5
b339d95d71ecebaf0e60ee634693ee64

SHA1
9fb925f5c99d1f84484cd2866601cccbb8ecd69f

SHA256
a0a3752e45c0081cced334e5c5e65e2dd1754f93bd7f53c5c1aad33959515c17

SHA512
d4dda94c90e5c96c935a07baa0ed50aa9c2763437218fe3a4f1804926afc31118d23727343da5260c6443eb3ad3eee1c43443ede8195c3b021abd88af1e05b11

Download Submit
C:\Users\Admin\Pictures\a9oYDmB2oTo4g4O2IF6jec99.exe

Filesize
5.1MB

MD5
eb42c3d7e6d677ebb9ef4c1987d86db0

SHA1
31febff61e1d14930ed31108f8da2d3ebca6db4d

SHA256
821b8f488d2737908b9d06d8affa772a6701ab1f4e2a10c4727ebeac3402a96e

SHA512
de66c2322e61a2d5bd3a84e71789a0172052e4158979ec6adb30c2604011c80104e8b317447e0c911e8756c08c863f8a6d3b628ebf7d51645426533515d4a0c9

Download Submit
C:\Users\Admin\Pictures\jKDeFrqjBuMmdbJJCMgTgDFR.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\lwq7kncrC3D95UBJYyqKLP19.exe

Filesize
437KB

MD5
7960d8afbbac06f216cceeb1531093bb

SHA1
008221bf66a0749447cffcb86f2d1ec80e23fc76

SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84

SHA512
35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

Download Submit
C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe

Filesize
4.2MB

MD5
13fba4d99277201677c51afdf5a520b3

SHA1
640f935d9f5d2762da7e9fb8ea025f0a216826d6

SHA256
bf68fcc84c98a4062195042f1bd24911b3115c9cfce7cbb45ab134f048051ddf

SHA512
3ce95f9903484dd9d2099dd478c72eb6b30fd6c44eab95a7d9de4d1c5a2fccb0a0c22336c73e25576d832e85fdb6d51e2322a9bddbab8c6866f437ba97fe1c77

Download Submit
C:\Users\Admin\Pictures\yC9HIRXw85QxCbiA4yHRLr0L.exe

Filesize
7.5MB

MD5
66bafbe7feb126120ab6e62a26c458e1

SHA1
f0e5bdedce5142fddf8e4fd7b52792c07037a256

SHA256
cc6fc887360be8b778f94f5e2b4b4542671802c292b5a8dc3c4bca987347e238

SHA512
618245984ad269e032c1f9bbc261c8a3a07e343ca6869bac7a4f50fe3644786b1e2abaf87f3b853642b1bffc3681033e68935ac2b3be23a994497cf7a2410973

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
973180b9737966bdc454abc29a7de5a0

SHA1
caa31c15705ba4323f52e52bf39af593fe3c2cac

SHA256
af9850f6cdd3ca7c45370774edffaaa5ed1ebc55ffb8b8847c0d2940b5e544be

SHA512
794426b7a8544de4a9531e0983542900fe399a9889989481e1857f9f24a929a4b9bd4b2a24b918048304edbb0132b242944477ae98eff4d054a8239677546101

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\??\pipe\LOCAL\crashpad_3328_EBYCUXESFUGUBDRT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/720-159-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-21-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/720-511-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-751-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-170-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-19-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-20-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-169-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-661-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-22-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/720-325-0x0000000000060000-0x0000000000516000-memory.dmp

Filesize
4.7MB

Download
memory/720-23-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/720-25-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/720-24-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/720-26-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/720-27-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1548-284-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1548-261-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1656-253-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/1656-250-0x00000000008A0000-0x00000000008F2000-memory.dmp

Filesize
328KB

Download
memory/1656-301-0x0000000002B60000-0x0000000004B60000-memory.dmp

Filesize
32.0MB

Download
memory/2184-271-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/2184-283-0x0000000000C90000-0x0000000000CF6000-memory.dmp

Filesize
408KB

Download
memory/2864-16-0x00000000002A0000-0x0000000000756000-memory.dmp

Filesize
4.7MB

Download
memory/2864-10-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2864-1-0x0000000077184000-0x0000000077186000-memory.dmp

Filesize
8KB

Download
memory/2864-2-0x00000000002A0000-0x0000000000756000-memory.dmp

Filesize
4.7MB

Download
memory/2864-5-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2864-4-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2864-6-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2864-7-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2864-0-0x00000000002A0000-0x0000000000756000-memory.dmp

Filesize
4.7MB

Download
memory/2864-8-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2864-3-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2864-9-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2864-11-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3336-217-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/3336-202-0x0000000005F10000-0x0000000005F86000-memory.dmp

Filesize
472KB

Download
memory/3336-155-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/3336-156-0x00000000009C0000-0x0000000000A12000-memory.dmp

Filesize
328KB

Download
memory/3336-172-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3428-302-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3428-310-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3604-120-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3604-260-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/3604-107-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/3604-95-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4232-112-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/4232-90-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/4232-258-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/4232-124-0x0000000005060000-0x00000000050AC000-memory.dmp

Filesize
304KB

Download
memory/4232-256-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/4232-65-0x0000000000410000-0x0000000000460000-memory.dmp

Filesize
320KB

Download
memory/4232-252-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/4232-123-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/4232-122-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/4232-66-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/4232-67-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/4232-77-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/4232-87-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/4232-106-0x0000000005EF0000-0x0000000006508000-memory.dmp

Filesize
6.1MB

Download
memory/4436-118-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/4436-89-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/4436-259-0x00007FF840460000-0x00007FF840F21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-92-0x00007FF840460000-0x00007FF840F21000-memory.dmp

Filesize
10.8MB

Download
memory/4464-203-0x0000000000280000-0x000000000030C000-memory.dmp

Filesize
560KB

Download
memory/4464-216-0x00007FF840460000-0x00007FF840F21000-memory.dmp

Filesize
10.8MB

Download
memory/4508-212-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/4508-171-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4508-214-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4532-324-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4712-167-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4712-198-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/4712-204-0x00000000025A0000-0x00000000045A0000-memory.dmp

Filesize
32.0MB

Download
memory/4712-165-0x0000000072D90000-0x0000000073540000-memory.dmp

Filesize
7.7MB

Download
memory/4712-154-0x0000000000370000-0x00000000003EA000-memory.dmp

Filesize
488KB

Download
memory/5040-814-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/5092-737-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5144-759-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/5144-626-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/5320-675-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5320-763-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5428-641-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5428-774-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5524-804-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5524-655-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5880-680-0x0000000000C90000-0x000000000104E000-memory.dmp

Filesize
3.7MB

Download
memory/5880-658-0x0000000000C90000-0x000000000104E000-memory.dmp

Filesize
3.7MB

Download
memory/5912-772-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp

Filesize
13.9MB

Download
memory/5912-643-0x00007FF85DDF0000-0x00007FF85DDF2000-memory.dmp

Filesize
8KB

Download
memory/5912-758-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp

Filesize
13.9MB

Download
memory/5912-733-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp

Filesize
13.9MB

Download
memory/5912-654-0x00007FF85CE80000-0x00007FF85CE82000-memory.dmp

Filesize
8KB

Download
memory/5912-695-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp

Filesize
13.9MB

Download
memory/5912-630-0x00007FF85F690000-0x00007FF85F692000-memory.dmp

Filesize
8KB

Download
memory/5912-644-0x00007FF85DE00000-0x00007FF85DE02000-memory.dmp

Filesize
8KB

Download
memory/5912-657-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp

Filesize
13.9MB

Download
memory/5912-743-0x00007FF63A050000-0x00007FF63AE2B000-memory.dmp

Filesize
13.9MB

Download
memory/5912-640-0x00007FF85F6A0000-0x00007FF85F6A2000-memory.dmp

Filesize
8KB

Download
memory/5912-656-0x00007FF85CE90000-0x00007FF85CE92000-memory.dmp

Filesize
8KB

Download
memory/6420-742-0x0000000003D80000-0x0000000004180000-memory.dmp

Filesize
4.0MB

Download
memory/6420-663-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/6420-807-0x00000000759A0000-0x0000000075BB5000-memory.dmp

Filesize
2.1MB

Download
memory/6420-779-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/6420-750-0x0000000003D80000-0x0000000004180000-memory.dmp

Filesize
4.0MB

Download
memory/6420-622-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download