Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Resubmissions

22-04-2024 17:32

240422-v4rfwaea81 10

21-04-2024 02:58

240421-dgjdbahe61 10

Analysis

  • max time kernel
    49s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1.exe

  • Size

    1.8MB

  • MD5

    7f84fef1e9da6502e7d41c0d4f326b75

  • SHA1

    0e718ac8f878f07526428fd44709f798f1808d7e

  • SHA256

    10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1

  • SHA512

    7220f644065f4845a29c361557cd3ba5d97c8c1ceef8603308e85349920336885413e2238d7dd5e831dd0c6c1aec83bc45d4b966e32ad1f4e7168a0883520c1e

  • SSDEEP

    49152:mZZrpcoadNECxYPmHCPampPzRbqQlNO8uICfyhMH:mZPcoanK3bFlE8RCfymH

Score
10/10
amadeygluptebalummaredlinestealcxehookzgrat@oleh_psplivetrafficdiscoverydropperevasioninfostealerloaderpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

C2

4.184.225.183:30592

Extracted

Family

stealc

C2

http://52.143.157.84

Attributes
  • url_path

    /c73eed764cc59dcb.php

Extracted

Family

xehook

C2

https://unotree.ru/

https://aiwhcpoaw.ru/

Extracted

Family

lumma

C2

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Xehook Payload 1 IoCs
  • Detect ZGRat V1 2 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 10 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 8 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Xehook stealer

    Xehook is an infostealer written in C#.

    stealerxehook
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 15 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1.exe
    "C:\Users\Admin\AppData\Local\Temp\10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3568
  • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
      "C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 868
          3⤵
          • Program crash
          PID:4820
      • C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
        "C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3280
          • C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
            "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3232
          • C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
            "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            PID:2784
      • C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
        "C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:1584
        • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
          "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3580
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
            3⤵
            • Creates scheduled task(s)
            PID:3988
          • C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe
            "C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:3924
            • C:\Users\Admin\AppData\Local\Temp\u310.0.exe
              "C:\Users\Admin\AppData\Local\Temp\u310.0.exe"
              4⤵
              • Executes dropped EXE
              PID:5136
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 1016
                5⤵
                • Program crash
                PID:4720
            • C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
              "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
              4⤵
                PID:5868
                • C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exe
                  C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exe
                  5⤵
                    PID:5408
                    • C:\Users\Admin\AppData\Roaming\ZXB_tls\UniversalInstaller.exe
                      C:\Users\Admin\AppData\Roaming\ZXB_tls\UniversalInstaller.exe
                      6⤵
                        PID:6412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\SysWOW64\cmd.exe
                          7⤵
                            PID:6840
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              8⤵
                                PID:1536
                      • C:\Users\Admin\AppData\Local\Temp\u310.1.exe
                        "C:\Users\Admin\AppData\Local\Temp\u310.1.exe"
                        4⤵
                          PID:5944
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1072
                          4⤵
                          • Program crash
                          PID:3960
                      • C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe"
                        3⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        PID:5392
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 356
                          4⤵
                          • Program crash
                          PID:5580
                      • C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"
                        3⤵
                        • Executes dropped EXE
                        PID:5712
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5512
                        • C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"
                          4⤵
                            PID:4516
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              5⤵
                                PID:5372
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                5⤵
                                  PID:2432
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                    6⤵
                                    • Modifies Windows Firewall
                                    PID:5172
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  5⤵
                                    PID:5980
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -nologo -noprofile
                                    5⤵
                                      PID:6436
                                • C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe"
                                  3⤵
                                    PID:3212
                                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                      4⤵
                                        PID:7132
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                        4⤵
                                          PID:4148
                                          • C:\Windows\system32\wusa.exe
                                            wusa /uninstall /kb:890830 /quiet /norestart
                                            5⤵
                                              PID:1276
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop UsoSvc
                                            4⤵
                                            • Launches sc.exe
                                            PID:5972
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                            4⤵
                                            • Launches sc.exe
                                            PID:6064
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop wuauserv
                                            4⤵
                                            • Launches sc.exe
                                            PID:3652
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop bits
                                            4⤵
                                            • Launches sc.exe
                                            PID:5244
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop dosvc
                                            4⤵
                                            • Launches sc.exe
                                            PID:6556
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                            4⤵
                                              PID:6808
                                            • C:\Windows\system32\powercfg.exe
                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                              4⤵
                                                PID:7160
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                4⤵
                                                  PID:6812
                                                • C:\Windows\system32\powercfg.exe
                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                  4⤵
                                                    PID:4840
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe delete "WSNKISKT"
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:6436
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:7112
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe stop eventlog
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:2176
                                                  • C:\Windows\system32\sc.exe
                                                    C:\Windows\system32\sc.exe start "WSNKISKT"
                                                    4⤵
                                                    • Launches sc.exe
                                                    PID:2960
                                                • C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe"
                                                  3⤵
                                                    PID:5132
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe" -Force
                                                      4⤵
                                                        PID:3620
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                        4⤵
                                                          PID:5948
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                          4⤵
                                                            PID:3272
                                                            • C:\Users\Admin\Pictures\uJp0M8cNjUTEDWaxIxHKvVLl.exe
                                                              "C:\Users\Admin\Pictures\uJp0M8cNjUTEDWaxIxHKvVLl.exe"
                                                              5⤵
                                                                PID:6016
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell -nologo -noprofile
                                                                  6⤵
                                                                    PID:5968
                                                                  • C:\Users\Admin\Pictures\uJp0M8cNjUTEDWaxIxHKvVLl.exe
                                                                    "C:\Users\Admin\Pictures\uJp0M8cNjUTEDWaxIxHKvVLl.exe"
                                                                    6⤵
                                                                      PID:6264
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -nologo -noprofile
                                                                        7⤵
                                                                          PID:516
                                                                    • C:\Users\Admin\Pictures\nsEhFgjc0m6yYnAvcWhOZQJ3.exe
                                                                      "C:\Users\Admin\Pictures\nsEhFgjc0m6yYnAvcWhOZQJ3.exe"
                                                                      5⤵
                                                                        PID:5508
                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell -nologo -noprofile
                                                                          6⤵
                                                                            PID:5372
                                                                          • C:\Users\Admin\Pictures\nsEhFgjc0m6yYnAvcWhOZQJ3.exe
                                                                            "C:\Users\Admin\Pictures\nsEhFgjc0m6yYnAvcWhOZQJ3.exe"
                                                                            6⤵
                                                                              PID:2760
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell -nologo -noprofile
                                                                                7⤵
                                                                                  PID:5664
                                                                            • C:\Users\Admin\Pictures\DFuJMgnmqkDxOPCboVDONfP7.exe
                                                                              "C:\Users\Admin\Pictures\DFuJMgnmqkDxOPCboVDONfP7.exe"
                                                                              5⤵
                                                                                PID:3112
                                                                                • C:\Users\Admin\AppData\Local\Temp\u2eg.0.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\u2eg.0.exe"
                                                                                  6⤵
                                                                                    PID:6768
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1020
                                                                                      7⤵
                                                                                      • Program crash
                                                                                      PID:212
                                                                                • C:\Users\Admin\Pictures\KBrTYnex0nOl2OOkpoas3TBm.exe
                                                                                  "C:\Users\Admin\Pictures\KBrTYnex0nOl2OOkpoas3TBm.exe"
                                                                                  5⤵
                                                                                    PID:3720
                                                                                  • C:\Users\Admin\Pictures\fNZKTo60dQtNCZXg7iUTamYx.exe
                                                                                    "C:\Users\Admin\Pictures\fNZKTo60dQtNCZXg7iUTamYx.exe" --silent --allusers=0
                                                                                    5⤵
                                                                                      PID:4312
                                                                                      • C:\Users\Admin\Pictures\fNZKTo60dQtNCZXg7iUTamYx.exe
                                                                                        C:\Users\Admin\Pictures\fNZKTo60dQtNCZXg7iUTamYx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6a17e1d0,0x6a17e1dc,0x6a17e1e8
                                                                                        6⤵
                                                                                          PID:6656
                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fNZKTo60dQtNCZXg7iUTamYx.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fNZKTo60dQtNCZXg7iUTamYx.exe" --version
                                                                                          6⤵
                                                                                            PID:7128
                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                        4⤵
                                                                                          PID:5580
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000216001\070.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1000216001\070.exe"
                                                                                        3⤵
                                                                                          PID:4204
                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-ILV32.tmp\is-I6D7N.tmp
                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-ILV32.tmp\is-I6D7N.tmp" /SL4 $8026C "C:\Users\Admin\AppData\Local\Temp\1000216001\070.exe" 3710753 52224
                                                                                            4⤵
                                                                                              PID:7148
                                                                                              • C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
                                                                                                "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
                                                                                                5⤵
                                                                                                  PID:6796
                                                                                                • C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
                                                                                                  "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -s
                                                                                                  5⤵
                                                                                                    PID:6008
                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:4432
                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:4296
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                3⤵
                                                                                                • Checks processor information in registry
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:3948
                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
                                                                                              2⤵
                                                                                              • UAC bypass
                                                                                              • Windows security bypass
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Windows security modification
                                                                                              • Checks whether UAC is enabled
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • System policy modification
                                                                                              PID:4464
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
                                                                                                3⤵
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:5468
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                                                3⤵
                                                                                                  PID:5484
                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                  3⤵
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5568
                                                                                                  • C:\Users\Admin\Pictures\qDb1m0wjR9XRNT5FMOvtQwKc.exe
                                                                                                    "C:\Users\Admin\Pictures\qDb1m0wjR9XRNT5FMOvtQwKc.exe"
                                                                                                    4⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:5532
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -nologo -noprofile
                                                                                                      5⤵
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5408
                                                                                                    • C:\Users\Admin\Pictures\qDb1m0wjR9XRNT5FMOvtQwKc.exe
                                                                                                      "C:\Users\Admin\Pictures\qDb1m0wjR9XRNT5FMOvtQwKc.exe"
                                                                                                      5⤵
                                                                                                        PID:3860
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -nologo -noprofile
                                                                                                          6⤵
                                                                                                            PID:2980
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                                                                            6⤵
                                                                                                              PID:6016
                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                7⤵
                                                                                                                  PID:6072
                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                                                                                  7⤵
                                                                                                                  • Modifies Windows Firewall
                                                                                                                  PID:4852
                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                powershell -nologo -noprofile
                                                                                                                6⤵
                                                                                                                  PID:5816
                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  powershell -nologo -noprofile
                                                                                                                  6⤵
                                                                                                                    PID:5908
                                                                                                                  • C:\Windows\rss\csrss.exe
                                                                                                                    C:\Windows\rss\csrss.exe
                                                                                                                    6⤵
                                                                                                                      PID:4420
                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        powershell -nologo -noprofile
                                                                                                                        7⤵
                                                                                                                          PID:3620
                                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                                                                                          7⤵
                                                                                                                          • Creates scheduled task(s)
                                                                                                                          PID:3984
                                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                          schtasks /delete /tn ScheduledUpdate /f
                                                                                                                          7⤵
                                                                                                                            PID:5128
                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -nologo -noprofile
                                                                                                                            7⤵
                                                                                                                              PID:5124
                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell -nologo -noprofile
                                                                                                                              7⤵
                                                                                                                                PID:5804
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                                                                                                7⤵
                                                                                                                                  PID:1060
                                                                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                                                                                                  7⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:6468
                                                                                                                                • C:\Windows\windefender.exe
                                                                                                                                  "C:\Windows\windefender.exe"
                                                                                                                                  7⤵
                                                                                                                                    PID:2520
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                                                                                      8⤵
                                                                                                                                        PID:6608
                                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                                          sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                                                                                          9⤵
                                                                                                                                          • Launches sc.exe
                                                                                                                                          PID:1980
                                                                                                                              • C:\Users\Admin\Pictures\S4OaF9Rbrr7FIRJ7MihhxXS6.exe
                                                                                                                                "C:\Users\Admin\Pictures\S4OaF9Rbrr7FIRJ7MihhxXS6.exe"
                                                                                                                                4⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:6072
                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  powershell -nologo -noprofile
                                                                                                                                  5⤵
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:5928
                                                                                                                                • C:\Users\Admin\Pictures\S4OaF9Rbrr7FIRJ7MihhxXS6.exe
                                                                                                                                  "C:\Users\Admin\Pictures\S4OaF9Rbrr7FIRJ7MihhxXS6.exe"
                                                                                                                                  5⤵
                                                                                                                                    PID:5196
                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell -nologo -noprofile
                                                                                                                                      6⤵
                                                                                                                                        PID:5396
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                                                                                                        6⤵
                                                                                                                                          PID:4232
                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                                                                                                            7⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            PID:5320
                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell -nologo -noprofile
                                                                                                                                          6⤵
                                                                                                                                            PID:4856
                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell -nologo -noprofile
                                                                                                                                            6⤵
                                                                                                                                              PID:7064
                                                                                                                                        • C:\Users\Admin\Pictures\to0OhbVipQeOHcxQF3wskUdp.exe
                                                                                                                                          "C:\Users\Admin\Pictures\to0OhbVipQeOHcxQF3wskUdp.exe"
                                                                                                                                          4⤵
                                                                                                                                            PID:4532
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\u3hw.0.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\u3hw.0.exe"
                                                                                                                                              5⤵
                                                                                                                                                PID:1240
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1016
                                                                                                                                                  6⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:7028
                                                                                                                                            • C:\Users\Admin\Pictures\glv2gTHlzY7OGPA7YIH8klm9.exe
                                                                                                                                              "C:\Users\Admin\Pictures\glv2gTHlzY7OGPA7YIH8klm9.exe"
                                                                                                                                              4⤵
                                                                                                                                                PID:6488
                                                                                                                                              • C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe
                                                                                                                                                "C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe" --silent --allusers=0
                                                                                                                                                4⤵
                                                                                                                                                  PID:3452
                                                                                                                                                  • C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe
                                                                                                                                                    C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6b64e1d0,0x6b64e1dc,0x6b64e1e8
                                                                                                                                                    5⤵
                                                                                                                                                      PID:428
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QQ4bpd9XhhhrawkTfJYq58R8.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QQ4bpd9XhhhrawkTfJYq58R8.exe" --version
                                                                                                                                                      5⤵
                                                                                                                                                        PID:6400
                                                                                                                                                      • C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe
                                                                                                                                                        "C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3452 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240421030011" --session-guid=364bc1c8-5cb6-44e1-a6b2-5c59be6b9476 --server-tracking-blob="YTVjOTVmMDIwMjU3NGYxMTVkNjIxYjkwMjQ2NWZiNTE4OWQ2ZmE4ZjczYmFiMDgzODY0MjdkZWZhNzM3MDY4Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjY4MzY2LjUzMzgiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMDBkZmIwNmUtYWE0MS00ZDg0LWFhNjUtNjJiOWUxODc4NjI5In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000
                                                                                                                                                        5⤵
                                                                                                                                                          PID:6568
                                                                                                                                                          • C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe
                                                                                                                                                            C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6acce1d0,0x6acce1dc,0x6acce1e8
                                                                                                                                                            6⤵
                                                                                                                                                              PID:6740
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
                                                                                                                                                            5⤵
                                                                                                                                                              PID:2692
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\assistant\assistant_installer.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\assistant\assistant_installer.exe" --version
                                                                                                                                                              5⤵
                                                                                                                                                                PID:3284
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\assistant\assistant_installer.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x616038,0x616044,0x616050
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:6164
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5608
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"
                                                                                                                                                              2⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                              PID:5528
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                3⤵
                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:5816
                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\25IEXNRPOH.exe'"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:5008
                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                                                                              2⤵
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              PID:6076
                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                                                                                3⤵
                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:5736
                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                  netsh wlan show profiles
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:1472
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zip' -CompressionLevel Optimal
                                                                                                                                                                    4⤵
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:6116
                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:4756
                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5008 -ip 5008
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:4600
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5392 -ip 5392
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:5504
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:6132
                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:6232
                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:6240
                                                                                                                                                                        • C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                                                                                                                                          C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:2480
                                                                                                                                                                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:5492
                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:7140
                                                                                                                                                                                  • C:\Windows\system32\wusa.exe
                                                                                                                                                                                    wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:3944
                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                    C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:7120
                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                    C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:6868
                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                    C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:6944
                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                    C:\Windows\system32\sc.exe stop bits
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:3564
                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                    C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:2176
                                                                                                                                                                                  • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:1300
                                                                                                                                                                                    • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:5340
                                                                                                                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:3524
                                                                                                                                                                                        • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:5820
                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                            C:\Windows\system32\conhost.exe
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:7056
                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:7136
                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1240 -ip 1240
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:2084
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:6592
                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6768 -ip 6768
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:6292
                                                                                                                                                                                                  • C:\Windows\windefender.exe
                                                                                                                                                                                                    C:\Windows\windefender.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:1232
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5136 -ip 5136
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:5684
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3924 -ip 3924
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:5816

                                                                                                                                                                                                        Network

                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                        Reconnaissance

                                                                                                                                                                                                        Resource Development

                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                        Execution

                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1053

                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1543

                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1053

                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                        Abuse Elevation Control Mechanism

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1548

                                                                                                                                                                                                        Bypass User Account Control

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1548.002

                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1543

                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1053

                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                        Abuse Elevation Control Mechanism

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1548

                                                                                                                                                                                                        Bypass User Account Control

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1548.002

                                                                                                                                                                                                        Impair Defenses

                                                                                                                                                                                                        5
                                                                                                                                                                                                        T1562

                                                                                                                                                                                                        Disable or Modify System Firewall

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1562.004

                                                                                                                                                                                                        Disable or Modify Tools

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1562.001

                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                        5
                                                                                                                                                                                                        T1112

                                                                                                                                                                                                        Subvert Trust Controls

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1553

                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1553.004

                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                        2
                                                                                                                                                                                                        T1497

                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                        Unsecured Credentials

                                                                                                                                                                                                        5
                                                                                                                                                                                                        T1552

                                                                                                                                                                                                        Credentials In Files

                                                                                                                                                                                                        4
                                                                                                                                                                                                        T1552.001

                                                                                                                                                                                                        Credentials in Registry

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1552.002

                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                        Peripheral Device Discovery

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1120

                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                        7
                                                                                                                                                                                                        T1012

                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                        6
                                                                                                                                                                                                        T1082

                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                        2
                                                                                                                                                                                                        T1497

                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                        Collection

                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                        5
                                                                                                                                                                                                        T1005

                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1102

                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                        Impact

                                                                                                                                                                                                        Service Stop

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1489

                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                        • C:\ProgramData\ImageGuide 3.1.33.67\ImageGuide 3.1.33.67.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          3.9MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          80d5389c5a4f9a34ffb6432986f20cf1

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9fa64fbf8788152616e84f708655c7278d30e09d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          13d2fce54d140f74b58df72e26d1be9803a2e953f48972bf576c5e4f8b5e8f04

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7d202a373f1d5ca0be5ed9a7e10a396c3b986f4d7f0e4a0ef373ebd71a9cbcb508e11a3a9abab911bc91d0ed6a972e2291e25304c1bf2a74cf3870e9dbc22485

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\ProgramData\mozglue.dll
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          593KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          968cb9309758126772781b83adb8a28f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          19KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          69f76884367f9a1e063627a731074dc1

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          abc0d1f0870760f2db378c6f18adec8d13e6af3c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          3e3a2a06afa031e3edbaed176bf253aed0b6d1238633f0774432c0e08050c6c4

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8aac26f7349882b8a8ea445d40e2488be228b137ab09c7abb1f066e13bc8006b034fd5629f80610f8e711ad0543cda86839a432c7472fafe03bd9ce0dedcc3b1

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          19KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a1e1549834a83c757c122d5a33794a36

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          55bc92c8c5c91d28e9f2a546c7d6459134fb4588

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          775fe00c392d5f5814ec437c421884acf13d48c945247bbb895b7760dcbca73f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          720206ef5d5b7ebfe6214c6bc6e1c7260b683593aab5ac23e8b30c311d38bfdf7cb0ce65a39be998aa40d1edf7239f455545c7d3530b062a08dfc7c5e960f423

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          944B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6d3e9c29fe44e90aae6ed30ccf799ca8

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          aaa76a92049915814f330d784de1237a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3ddd46abe2f89b2181c487e40c974c5a865525e9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          928cc2e8b3f9d15cc54a19133817a57435cc3fc92a57d2447f6991247bfc9239

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5ff0c34a3db8732aa4c98ae99bc499db5880ef381693ad044993abca8d8bcfe8c2189a8dfd0c6d59bb6d04d34d4bde9dd822e5b24ca6a7c1d7250754fe520436

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\additional_file0.tmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          15d8c8f36cef095a67d156969ecdb896

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a1435deb5866cd341c09e56b65cdda33620fcc95

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210300111\opera_package
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          103.8MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5014156e9ffbb75d1a8d5fc09fabdc42

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6968d1b5cec3039e53bbbedeee22e2d43d94c771

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          321KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1c7d0f34bb1d85b5d2c01367cc8f62ef

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          33aedadb5361f1646cffd68791d72ba5f1424114

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          85a15f080b09acace350ab30460c8996

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          488KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          82053649cadec1a338509e46ba776fbd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6d8e479a6dc76d54109bb2e602b8087d55537510

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          30468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          418KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0099a99f5ffb3c3ae78af0084136fab3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          8510bcf5bc264c70180abe78298e4d5b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          2c3a2a85d129b0d750ed146d1d4e4d6274623e28

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          158KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          586f7fecacd49adab650fae36e2db994

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          35d9fb512a8161ce867812633f0a43b042f9a5e6

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          404KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          15ce9e885610d5b85500ea0d139f6d21

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          99f1392185a70453f33e15d6f5b75064217c2c18

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          9ee8e3fb682cf7abb5804106f841551f2f0fd8ace9842e67f3bda573772d39a6482d19e853de5a9a48d177350a3398cb814105ced01fdfb1be6db7e8bc9055b9

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          273KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          e795115169cc800de0392d6a675d58fd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8dd75837e360ba1cb8acf5a3d348dd020a5da482

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          17f929c1d40a7fd6f897c0b15ca9c44b2059cbccb3037c31619d87954659478e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5fb6543e91de175bd365462a1cc87d6772e43b0effd3757b3e408b08a4de5a004de9a85e7f1d09578fa3bc6b6486c5f5016c1b879496582dbb39b2e62e168f38

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          445KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a4ff45669edba40e7cf0e41e0c154c4f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4b87fca932cea0d1c2d62234e10edef8e658b2ae

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2a08e27c78c12acefbd49668d9384b5e54a5f907bedac5c3f5d2094e8bf3f9d1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ca509c14c201102564804e5e67f51c631ef2c0647bd555bdbd0fd290b1ac6d0a74f42d326abe8051d230c80181f0dc90b2d70d75a7c94aab52532a2b506eb52d

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          300KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3bdbe965922732ae0d662c74b444bdf1

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          300abe798f642648d0bfeac99ae92d7edf941cb7

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          23b86d03dce9c537233aba35061118e238ce3f444e6ce0057bc4be310e97fb53

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cfebb561e5f0b15f2ecfbfbe338391648d5ae2c6a2b50add27a6ba45ca504182ad93ea6e378c70087d1d7acd48fc10779fd8534a4b03d9e09218cb7068b4a101

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ed8593e5f283b8088fbdc61de4dc48d2

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          56be3c8af7b97b0e3ed033a53a8fc056528321d5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          769a2271e023a176150f121941025e07722a8ac7a45efbadd1f8018b528083d3

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          9505a39dabf78ae5461cdff430147bc995c5cd6523dd87688338c7344903817c180adfdcff971ffd22b3d854adfa711c73812bbde59d302a064152ec8aab7023

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ffada57f998ed6a72b6ba2f072d2690a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          556KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          e1d8325b086f91769120381b78626e2e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0eb6827878445d3e3e584b7f08067a7a4dc9e618

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000216001\070.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          3.9MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f1d29fddb47e42d7dbf2cf42ba36cc72

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          95be0248f53891aa5abecc498af5c3c98b532ba6

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a50431ef857f65eb57d4418d917b25307371dd2612c045c0d34f78cea631996c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f2e82e4e57dc6b3033ac74846f9830092521a26067d96f1c07b613258267c2d578bee901a0db04cd4fad13d2cc8afbbd3c3a685e040d225afd70203891632bbd

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\31c1d11e
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.8MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b96e10e36a9ef9a31b805f9749e57ae3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          bc39aa27931f264be23c4d603d5dbaf09ca8f37e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ba11437b4ceb6ce1493ec4428eac92404425a4da52cfbe1292e4b2b325c90d02

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cb1c82e0ab8d89a0fe05ec5953fc0dbe16f38439155b6a585fdb2577c86dcfa55bfea0c88145123d9d3ab70ac7af09f6a5ee428e8aab0c1d184bbfdd836afda5

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7f84fef1e9da6502e7d41c0d4f326b75

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0e718ac8f878f07526428fd44709f798f1808d7e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7220f644065f4845a29c361557cd3ba5d97c8c1ceef8603308e85349920336885413e2238d7dd5e831dd0c6c1aec83bc45d4b966e32ad1f4e7168a0883520c1e

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404210300110376400.dll
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0415cb7be0361a74a039d5f31e72fa65

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          46ae154436c8c059ee75cbc6a18ccda96bb2021d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          14.6MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          9eba9ca5f06b484cbbe41ed6fb4a8768

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b52ea3b800254b0b1ae2f19e442fe98cc575eb18

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5836b09135b1b8060226a6dd32b23a3985cbef5ca17b97102a851d8b8aa2c689

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          827f380f0d552b75be688c0de1bb6051c8d4cecf3784c6b396ce710b4c20b1b57c7eb16335cab93f451d7f69110df83f580dd562d1f26bbd2d7ca902e5c6ea74

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Tmp90A7.tmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gur1usa.nv3.ps1
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          60B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\iandlfgwrhgfoy
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          936B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          eb6aaf2980a557ca84f1ebc2e0f9385e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9632ce15bd38cb82bb89fc731bca791bb2dbe622

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5076fe2c0c6569906a46bf2aa6546e28bce94aa294fc862b5270d1783a9cf9ec

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          fcbabd0961617ebb49a9545b589a6eafc79b6beac86621b91510fc11fcc7a850556c51633a992201956d3c186e0a61157243a355b3eb8d3dca9d4bb6602e64e0

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          256ecbd65e492f07dfb4f2a61a607eab

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          39dca7e160e48c7bb3768610de4f8ee9d27e94bb

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a5d3f53d30bc31337622bacf7819069a5d6372339c5d5b2d353baf33e87c60d5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8c5e24136de48de272f44dd126cde128a2172206e97e519ba09357a056fa4b1fec1026557ee43a6e26c4835b5deeca0057f2460d228c31e8712b63c63804001e

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u310.0.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          301KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5d835a5d56e1b106a3928a3f96f28c0a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          76637a8a47e97b2eca53f849e0e95fc1a5683fa5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a676e2601f65bd27a7d0c7cc2cf9452ef9880a544c01d75692c2c211699b58fd

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c5b2a3ce8afd27f6a95b29874643eb4dfd7da56550b2451fe16705865c10af6ddc3bb7c94aec5840ed4b1a5d8df630719128dbf1169b2e5c7e0e2e7998a9c6d5

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u310.1.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          397926927bca55be4a77839b1c44de6e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e10f3434ef3021c399dbba047832f02b3c898dbd

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\25IEXNRPOH.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          65KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b889f64158636b7a72b87dfeb154a28c

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          556cee5727e48b8792c8443c7be974ef8c52c7f3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          7aef1cd9b66b7eebe72207302861b32a05db5cbfe62f7f8609dbbe53016605d3

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          949dc0d9155ee97e181701e599df25a9870811241fe102db7b83c1dc7dec63e7769494dea03acd4073d7d08ec12585a5db0c6544c93276cf98532d442276c18b

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-259785868-298165991-4178590326-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1037f2ac-7687-4b04-90ea-cc9b87b0e187
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6c723c62d5695258648d163671386ead

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e4c3c70e51cf8fbcc73df3b4d751a699a31fe38c

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6f182019246094075df3c433f6bc462e3372d5ac06d060829969acc29d670337

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          0b52804f2f5de371a65ce11974b74c6115364f0af79a9e2ac14f95399248e01ce34f123a8915e03dcffe94db1b9f008a963a34d39abf8837c033788538b6182f

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          40B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          2c075488d7128df0d76ffbf0cce846ed

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          1505c817a056f330b0a1469a33a78bf8d636b3c1

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0d54a00529bf1a30336a1741b93b4259cde1c99a429c4a9ea438e6967802cafa

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5639a31443bcc2e78aff6b7ee09316420a2c6c6bb6bcc47bd0b6051924b04d09b1711105be6e5fee93574b5bc5fb4364feaf784066c470267ed2abec870c7611

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          109KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          154c3f1334dd435f562672f2664fea6b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          51dd25e2ba98b8546de163b8f26e2972a90c2c79

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f35b671fda2603ec30ace10946f11a90

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          059ad6b06559d4db581b1879e709f32f80850872

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          541KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1fc4b9014855e9238a361046cfbf6d66

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          c17f18c8246026c9979ab595392a14fe65cc5e9f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          cc90e3326d7b20a33f8037b9aab238e4

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          236d173a6ac462d85de4e866439634db3b9eeba3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0dde61b35a32474b60b36f3029816036

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b9d8f7a29ea49f8e0888ce3213ff89e0c6846b3b

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          61ca23c4b00c8dc112bdd10082637ce9d5b97cb4540de45733ad3ab70110dc25

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          87bbc0e9dc4dc4f5e1cdf7509df7471980e78263380b41d87a2625996ffaf2d1be3ba5c8fe5d78fa689c8ec34e8f9eb51628e95ab8c5b58e8bd8fe4a235b445e

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\KBrTYnex0nOl2OOkpoas3TBm.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          3.9MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ffee05ea98b1d51026a44fad0841a8a9

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          50a703329c7b9812c17a02b554cf406040079fec

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4cb040696b9ffb14794955b0e56eed04fde0cae3a5ee748dd513ad42c411c823

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          626ddc18a906b74a231daa5bcc092a90708e0e3d42e4db645d59d19de7ef38a2d91a843f11dbc7873d379bfa14e87c5fc6d09a657e0b44abd24b9991cb971f86

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\QQ4bpd9XhhhrawkTfJYq58R8.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          8ecb5b230655876d4c24e342a6acdc2f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          810624e010d017251b5a4ffadecb81ee18108886

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4f41fbfc112e53dacd16386302004b919ae919e53ad7281ec1fc8172c73b7c08

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          eb23c708e8bcec5fdadc635c3277a5c2e7b61d442835caff28455b2523ea55ba42cea488df72575f30887f71f2205e0b97000eca8f67956243fb997d03406048

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\fNZKTo60dQtNCZXg7iUTamYx.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          be068d9c4e725feadb618335583deb9a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8567dae07031d0a84788e2c89f44d4794bf49719

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1ab4d431d9bea8fa3bc6511f350a8624d5f5a556f6809f4e4283ac63ace1d4e8

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          55f9b2513fa59188ef28c835f680d53470b4d5100efa79ca8bb880f84b237473cb5e4ea0b02ca4c19845901134723a4ec3d238ed11643451ba4fb55c1f72efcd

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\glv2gTHlzY7OGPA7YIH8klm9.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.5MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          9f8b8a866575e821310f6203c5bdc044

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f39bbd5eb2f736acdf565d6b56e560a60334dd0e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          277677de19193a2297c88689312d1a294edf4f81b3ff4ba8202e2cbb9c6fbeea

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b8222b6c8ec092ccc352676d4bf8c90a4ecb558a8346ab2628a41071d0747e87cc0c805c5c4efaf922a5e7ff18ad78bfa59a9180670df881085f6fab3b67f209

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\qDb1m0wjR9XRNT5FMOvtQwKc.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          12c1251ddacc8c6651573aaae2a36711

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          aa4a4fc95f24a847f33a0fcc22d318fe947929d0

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\to0OhbVipQeOHcxQF3wskUdp.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          445KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ddbb9a4caa78db40bb47ee413252f12f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6153acfbb9773424f3d3ccfcca917c277b2500d5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f2c98424e2142ea86ef140dd1b0bdf1b3c7b8cc99ec6194c851ad2f0ed3b2e31

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5afa0ee709e43f3445b9c9733ac8df92c04682d9b3e8b25441e5392cb17303c0c39e9c56c9d3bf27ea266815d571d659749dedc18af0506c987b056c6d9dbb60

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Admin\Pictures\xucvv3dKyXk7JIhAPaYbZPDK.exe
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5b423612b36cde7f2745455c5dd82577

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1e68832793d8d777910c2d3e30804bb3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a6fc19ac7bd5c9283d4a8b324babec28278a738a

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a1e76542c19dab576a4ae9e1411567710618a7a9a749eec2646ebb0cd42dd36f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8a2b12bcba75279fab4675fd1a1da5a6b0b1145eca1bd9536e920a2e9e92f6f6bcfded536ceaa1de54d9f31dce20f4695e5633c0344bb6e0e12d9fbd1724f9aa

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3d086a433708053f9bf9523e1d87a4e8

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          19KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          2f079c0b438f761bfcf67d318b06b1d6

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8fac988c38726b690b0ce79365dd698bfb3dbeb7

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f93192a1a1b06fd1d08988006016f2f19404c73e41f0ebcd97a0010ff6c53a77

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          aa7b25e3f70dd53e07af8ede9d5e566b4b20336958463d8aa3a43cda426f27cb24674f61190a81e9155082f338cd79b97f677de37c0265c6793d0bda618f68e3

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          19KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b95954f83c422204d4d7b2315b3c0e14

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cf8f16d5e5253f8168e221e05cbb3272f01a8620

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          49b1f568702df9cb965575dcb07fdb68a00f255bea19298cfce0eb807f43e817

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c34ef2df1b4b5aa5f383c1933e1c816339e97fa706d292f7125b32be4912badbd61e76d267362cf5304f70af209ecc703e0d1d8b51ba820b860b91115bbf3263

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          127B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          8ef9853d1881c5fe4d681bfb31282a01

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a05609065520e4b4e553784c566430ad9736f19f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          127B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7cc972a3480ca0a4792dc3379a763572

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f72eb4124d24f06678052706c542340422307317

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                        • memory/1584-170-0x0000000005410000-0x0000000005420000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1584-169-0x0000000073860000-0x0000000074010000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1584-167-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          328KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-24-0x0000000005100000-0x0000000005101000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-750-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-114-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-21-0x0000000005140000-0x0000000005141000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-20-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-28-0x0000000005190000-0x0000000005191000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-29-0x0000000005180000-0x0000000005181000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-23-0x0000000005170000-0x0000000005171000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-412-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-22-0x0000000005130000-0x0000000005131000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-25-0x0000000005120000-0x0000000005121000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-26-0x0000000005110000-0x0000000005111000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-27-0x0000000005160000-0x0000000005161000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-19-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-562-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-192-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-1107-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-923-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/1636-87-0x00000000004D0000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2484-92-0x00000000025F0000-0x00000000045F0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2484-82-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2484-81-0x0000000073860000-0x0000000074010000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2484-80-0x0000000000070000-0x000000000022C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2484-91-0x0000000073860000-0x0000000074010000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2484-250-0x00000000025F0000-0x00000000045F0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-156-0x0000000006C70000-0x0000000006C82000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          72KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-145-0x00000000071E0000-0x00000000077F8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.1MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-120-0x0000000005750000-0x0000000005760000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-164-0x0000000006E40000-0x0000000006E8C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-159-0x0000000006CD0000-0x0000000006D0C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          240KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-118-0x00000000055A0000-0x0000000005632000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          584KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-155-0x0000000006D30000-0x0000000006E3A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-121-0x0000000005520000-0x000000000552A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          40KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-142-0x0000000006960000-0x000000000697E000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          120KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-116-0x0000000073860000-0x0000000074010000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-140-0x0000000006180000-0x00000000061F6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          472KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-115-0x0000000000C10000-0x0000000000C62000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          328KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/2784-117-0x0000000005B50000-0x00000000060F4000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          5.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3188-168-0x0000000000AD0000-0x0000000000B4D000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          500KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3188-166-0x0000000000AD0000-0x0000000000B4D000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          500KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-193-0x000000001E5B0000-0x000000001E6BA000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-123-0x0000000000A90000-0x0000000000B1C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          560KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-122-0x00007FFC2A970000-0x00007FFC2B431000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-141-0x0000000002C00000-0x0000000002C10000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-194-0x000000001C580000-0x000000001C592000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          72KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-195-0x000000001C7F0000-0x000000001C82C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          240KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-221-0x000000001EA40000-0x000000001EAB6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          472KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3232-222-0x000000001C7B0000-0x000000001C7CE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          120KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3272-928-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3280-94-0x0000000005240000-0x0000000005250000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          64KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3280-93-0x0000000073860000-0x0000000074010000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3280-85-0x0000000000400000-0x0000000000592000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-3-0x0000000005240000-0x0000000005241000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-2-0x00000000004E0000-0x0000000000980000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-7-0x0000000005210000-0x0000000005211000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-11-0x0000000005290000-0x0000000005291000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-0-0x00000000004E0000-0x0000000000980000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-10-0x00000000052A0000-0x00000000052A1000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-9-0x0000000005270000-0x0000000005271000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-1-0x0000000077C64000-0x0000000077C66000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          8KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-16-0x00000000004E0000-0x0000000000980000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-6-0x0000000005280000-0x0000000005281000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-8-0x0000000005220000-0x0000000005221000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-5-0x0000000005230000-0x0000000005231000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3568-4-0x0000000005250000-0x0000000005251000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3720-1137-0x00007FF792E60000-0x00007FF793969000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          11.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3860-1068-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3948-318-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3948-797-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          972KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/3948-315-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/4516-1069-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/4532-883-0x0000000000400000-0x0000000001A3A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          22.2MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/4996-59-0x0000000000400000-0x000000000044C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/4996-56-0x0000000000400000-0x000000000044C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/4996-53-0x0000000000400000-0x000000000044C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          304KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/4996-58-0x0000000001040000-0x0000000001041000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5008-50-0x0000000073870000-0x0000000074020000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5008-49-0x0000000000170000-0x00000000001C2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          328KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5008-57-0x00000000025A0000-0x00000000045A0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5008-60-0x0000000073870000-0x0000000074020000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5196-917-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5196-1075-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5532-806-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5532-641-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5568-404-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          32KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5712-713-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5712-638-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/5816-410-0x0000000000400000-0x000000000041C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          112KB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/6072-731-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download

                                                                                                                                                                                                        • memory/6072-657-0x0000000000400000-0x0000000001DF9000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                          Download